SO PANICKING. TrickBot Mobile App Bypasses 2‐Factor Authentication for Banking Services.

Bankingg Malware OTP.

The malware authors behind TrickBot banking Trojan have developed a new Android app that can intercept one-time authorization codes sent to Internet banking customers via SMS or relatively more secure push notifications, and complete fraudulent transactions.

The Android app, called "TrickMo" by IBM X-Force researchers, is under active development and has exclusively targeted German users whose desktops have been previously infected with the TrickBot malware.

"Germany is one of the first attack turfs TrickBot spread to when it first emerged in 2016," IBM researchers said. "In 2020, it appears that TrickBot's vast bank fraud is an ongoing project that helps the gang monetize compromised accounts."

The name TrickMo is a direct reference to a similar kind of Android banking malware called ZitMo that was developed by Zeus cybercriminal gang in 2011 to defeat SMS-based two-factor authentication.

The development is the latest addition in the arsenal of evolving capabilities of the banking trojan that has since morphed to deliver other kinds of malware, including the notorious Ryuk ransomware, act as an info stealer, loot Bitcoin wallets, and harvest emails and credentials.

Abusing Android's Accessibility Features to Hijack OTP Codes.

Initially spotted by the CERT-Bund last September, the TrickMo campaign works by intercepting a wide range of transaction authentication numbers (TANs), including one-time password (OTP), mobile TAN (mTAN), and pushTAN authentication codes after victims install it on their Android devices.

CERT-Bund's advisory went on to state that the Windows computers infected by TrickBot employed man-in-the-browser (MitB) attacks to ask victims for their online banking mobile phone numbers and device types in order to prompt them to install a fake security app — now called TrickMo.

Trickbott Banking Malware.

But given the security threats posed by SMS-based authentication — the messages can be easily hijacked by rogue third-party apps and are also vulnerable to SIM-swapping attacks — banks are beginning to increasingly rely on push notifications for users, which contain the transaction details and the TAN number.

To get over this hurdle of getting hold of the app's push notifications, TrickMo makes use of Android's accessibility features that allows it to record a video of the app's screen, scrape the data displayed on the screen, monitor currently running applications and even set itself as the default SMS app.

What's more, it prevents users of infected devices from uninstalling the app.

A Wide Range of Features

Once installed, TrickMo is also capable of gaining persistence by starting itself after the device becomes interactive or after a new SMS message is received. In addition, it features an elaborate settings mechanism that lets a remote attacker issue commands to turn on/off specific features (e.g., accessibility permissions, recording status, SMS app status) via a command-and-control (C2) server or an SMS message.

When the malware is run, it exfiltrates a wide range of information, including —

Personal device information

SMS messages

Recording targeted applications for a one-time password (TAN)

Photos

But to avoid raising suspicion when stealing the TAN codes, TrickMo activates the lock screen, thereby preventing users from accessing their devices. Specifically, it uses a fake Android update screen to mask its OTP-stealing operations.

And lastly, it comes with self-destruction and removal functions, which allows the cybercrime gang behind TrickMo to remove all traces of the malware's presence from a device after a successful operation.

The kill switch can also be activated by SMS, but IBM researchers found that it was possible to decrypt the encrypted SMS commands using a hard-coded RSA private key embedded in the source code, thus making it possible to generate the public key and craft an SMS message that can turn the self-destruct feature on.

Although this means that the malware can be remotely eliminated by an SMS message, it's fair to assume that a future version of the app could rectify the use of hard-coded key strings for decryption.

"The TrickBot trojan was one of the most active banking malware strains in the cybercrime arena in 2019," IBM researchers concluded.

"From our analysis, it is apparent that TrickMo is designed to help TrickBot break the most recent methods of TAN-based authentication. One of the most significant features TrickMo possesses is the app recording feature, which is what gives TrickBot the ability to overcome the newer pushTAN app validations deployed by banks."

THN

#osutayusuf

@osutayusuf.

UGANDA ELECTORAL COMMISSION TO ELIMINATE NATIONAL IDENTIFICATION CARDS (IDs) FOR 2021 GENERAL ELECTIONS.

The elimination of using National IDs (Ndagamuntu) for the 2021 elections should not have come as a surprise. One would be very NAIVE to think that Bobi Wine has not prepared for this in his Business Plan under the RISK section. It is public knowledge that our EC is not independent. It is also public knowledge that Military Dictator Yoweri Museveni will never lose an election. What stunned us this morning is when we noticed that on social media, people were mocking Bobi with his "get your Ndagamuntu". We are on record for saying to all Our readers that the National ID is like Apartheid in South Africa. Students of History would know how those IDs were being used to arrest people, deny them jobs, deny them basic services. Consequently, Bobi was not wrong and will never be wrong on the Ndagamuntu. Except the ones attacking him and mocking him forget that in Uganda, now, no National ID (Ndagamuntu), no service. If you have not been denied registering your child i...

Here is Why Our Utterances For Praying Jesus And God To Come Liberate Ugandans, May Be Misplaced. This Phrase is like inform of a Letter To Some Categorized Section Of Ugandans.

https://m.facebook.com/yusufosuta/photos/a.1896701010557789/2070383359856219/?type=3 OPEN LETTER TO NRM SUPPORTERS - NATIONAL ROBBERS MOVEMENT. .................................................................................. Last week of March, a friend told me to pray for Uganda. I told him that he was an Idiot and we have prayed for too long and we are still hungry and sick and Jesus is not coming soon to liberate us. He then ignored the STUPID and sent me a picture we all now know. It got me totally messed up. This guy was telling me to pray then sends a picture of men bowing down in blood. He might have meant guns but I blocked him because his utterances of praying for Uganda were misplaced. I unblocked him 3 weeks later and asked him about praying and assassinations. His reply "eithrr prayers or guns or both". I hate violence with a passion. So he is now blocked in like FOREVER. Do you feel safe? Do not feel safe. Uganda regim...

The Full List of Permanent Secretaries Appointed by President Museveni.

By virtue of the Powers given to the President by Article 174 (2) of the 1995 Constitution of the Republic of Uganda, I hereby, appoint the following as Permanent Secretaries as indicated below: 1. Head of Public Service and Secretary to Cabinet- Lucy Nakyobe 2. Deputy Head of Public Service And Secretary to Cabinet - Deborah Katuramu 3. State House Comptroller - Jane Barekye 4. Principal Private Secretary to the President- Dr. Kenneth Omona 5. Principal Private Secretary to H.E. the Vice President - Alex Kakooza 6. Office of the Prime Minister - Keith Muhakanizi 7. Office of the President - Yunus Kakande 8. Ministry of Agriculture, Animal - Industry and Fisheries David Kyomukama Kasura (Maj. Gen.) 9. Ministry of Defence and Veteran Affairs- Rosette Byengoma 10. Ministry of Education and Sports - Kate Lamaro 11. Ministry of Energy and Mineral Development - Batebe Irene 12. Ministry of Foreign Affairs - Vincent Bag...

Osuta Yusuf

Search This Blog