The hackers behind the infamous banking Trojan, TrickBot have developed a new method of intercepting 2-factor authorization codes sent to online banking customers through SMS or push notifications, by using a rogue mobile app.
While the most common method that have been employed over the years to bypass 2FA is the SIM swap fraud, in which the hacker convinces a mobile network or through a compromised employee to port a target’s mobile phone number, allowing them temporary access to receive the 2FA security codes sent via SMS.
According to IBM X-Force researchers, the new Android app used by TrickBot authors is dubbed "TrickMo" and it's still under active development, but exclusively targeted at German companies whose desktops are previously infected with the TrickBot malware.
How the hackers abuse Android's Accessibility Features to Hijack OTP Codes?
TrickMo works by intercepting transaction authentication numbers (TANs), including the popular one-time password (OTP), pushTAN authentication codes and mobile TAN (mTAN) after the app is installed on victims' Android devices.
The malware employ man-in-the-browser (MitB) attacks to coax infected victims (mostly Windows computer users) into giving out their online banking mobile phone numbers and device types in order to prompt them to install the TrickMo fake security app.
The risks with SMS-based authentication is that messages can easily be hijacked by third-party apps and it is also vulnerable to SIM-swap fraud attacks; as such banks are now beginning to rely instead on push notifications to authenticate their users, with the transaction details and the TAN number.
TrickMo Malware app Mode of Operations
The malware app, TrickMo is capable of gaining persistence by restarting itself after the device becomes interactive or on receipt of a new SMS message. It features a mechanism that allow a remote attacker to issue commands to turn specific features on/off on the infected device, for instance recording and accessibility permissions, through a command-and-control (C&C) server.
And to avoid raising any suspicion, TrickMo activates the lock screen when stealing the TAN codes, thereby preventing users from knowing that their devices are been accessed. TrickMo also remove all traces of its presence from a device after successful operations, with self-destruct and removal functions, that allow the cybercriminals to stay undetected.
However, IBM researchers discovered a way to decrypt the encrypted SMS commands using hard-coded RSA private key embedded in the source code, which makes it possible to generate the public key and craft an SMS message that can turn on the self-destruct feature.