Android malware intercepts 2FA codes from banks

News by Rene Millman

TrickMo malware steals transaction authorisation codes from victims

An Android malware is intercepting two-factor authentication (2FA) codes from banks to carry out bank fraud, warned IBM Security's Trusteer's group.

Dubbed “TrickMo”, the malware intercepts one-time security codes from SMS messages and transfers them via a C&C server to hackers, wrote Pavel Asinovsky, malware researcher at Trusteer's group.

The attack starts with an infection of a computer by Trickbot. This malware is reinstalled by the Emotet malware, which uses documents with malicious macros. As soon as Trickbot is active on the computer, it waits until the user wants to carry out internet banking. The malware then injects an extra field on the banking site that asks for the mobile phone number and device type.

When the user indicates that he is using an Android device, he receives a message to install a "security app". In reality, it is the TrickMo malware. This malware intercepts TAN codes sent via SMS, as well as one-time passwords (OTP) received via push notifications. The malware has already intercepted the data on the computer to access the bank account, but many banks use 2FA codes to confirm transactions, which are intercepted by the malware.

Researchers said that the malware exploits the accessibility service of Android for which it asks the user's permission. This service was originally developed by Google for people with disabilities. TrickMo uses this service to become the default SMS app, monitor active applications and scrape text on the screen, or perform certain "taps". For example, the malware can make certain choices on behalf of the user before they have a chance to respond.

“The feature that makes TrickMo different from standard SMS stealers is its unique ability to record the screen when targeted apps are running,” wrote Asinovsky. “This feature was enabled only in newer versions of TrickMo that were tailored specifically for German banks and use a special application for implementing TAN-based 2FA.”

After the malware has stolen the OTP or mobile TAN code, TrickMo activates the screen lock and prevents the user from accessing the device to enable the malware more time to empty the bank account.

TrickMo is clearly still under extensive development, and would expect new versions of this malware to be released in the near future, Asinovsky wrote.

“ It would be a fair assumption that other malware families will follow this model, and we will see more advanced malware groups adopting TrickMo’s features and techniques,” he added.

Oliver Pinson-Roxburgh, co-founder of Bulletproof, told SC Media UK that if corporate devices provided by the business then the business should be using mobile device management (MDM) solutions to ensure that the user is restricted in what they can install, and it’s imperative to have an approved tested set of apps.

“What is interesting about this is that the attackers are looking for ways around 2FA, stealing authorisation codes, SMS messages and more from the victims. As we, the defenders, introduce new controls, the attackers have to evolve. It takes a long time for businesses to start using new technologies typically, so the attackers rinse and repeat old attacks until they need to innovate,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews