Malware that steals transaction authorisation codes is now beginning to be seen

We now mostly have online banking systems of authorisation codes sent to your phone & presume this to be safe methodology – but can this system be interfered with?

Android malware is intercepting two-factor authentication (2FA) codes from banks to carry out bank fraud, warned IBM Security’s Trusteer’s group.

Named “TrickMo”, the malware intercepts one-time security codes from SMS messages and transfers them via a C&C server to hackers the group explained.

It is claimed the malware works in the following way:-

The attack starts with an infection of a computer by Trickbot. This malware is reinstalled by the Emotet malware, which uses documents with malicious macros. When Trickbot is active on the device, it is then dormant until the user wants to carry out internet banking. This malware then injects an extra field on the banking site that asks for the mobile phone number and device type.

If the user indicates that he is using an Android device, he gets a message to install a “security app”. This is actually the TrickMo malware. Malware intercepts TAN codes sent via SMS, as well as one-time passwords (OTP) received via notifications. The malware has intercepted the data on the computer to access the bank account, but many banks use 2FA codes to confirm transactions, which are intercepted by the malware. Very tricky!

The malware exploits the accessibility service of Android for which it asks the user’s permission. This service was initially developed by Google & aimed at people with disabilities. TrickMo uses this service to become the default SMS app, monitor active applications and scrape text on the screen, or perform certain “taps”. The malware can make certain choices for the user before they actually have time to respond.

The feature that makes TrickMo different from standard SMS stealers is its unique ability to record the screen when targeted apps are running. This was enabled only in newer versions of TrickMo that were tailored specifically for German banks and use a special application for implementing TAN-based 2FA.”

When corporate devices are provided by a business then mobile device management (MDM) solutions need to be used to ensure that the user is restricted in what they can install & makes it essential to have a tested set of apps.

Once the malware has stolen the OTP or mobile TAN code, TrickMo activates the screen lock and prevents the user from accessing the device to enable the malware more time to empty the bank account.

TrickMo seems to be still under extensive development, and new versions of this malware to be released in the near future are, sadly, expected.

Attackers operate by looking for ways around 2FA, stealing authorisation codes, SMS messages etc. from the victims. If users introduce new controls, the attackers have to evolve, but until then they target the unsuspecting. Be warned!