Skip to main content

SO PANICKING. TrickBot Mobile App Bypasses 2‐Factor Authentication for Banking Services.



              Bankingg Malware OTP.

The malware authors behind TrickBot banking Trojan have developed a new Android app that can intercept one-time authorization codes sent to Internet banking customers via SMS or relatively more secure push notifications, and complete fraudulent transactions.
The Android app, called "TrickMo" by IBM X-Force researchers, is under active development and has exclusively targeted German users whose desktops have been previously infected with the TrickBot malware.
"Germany is one of the first attack turfs TrickBot spread to when it first emerged in 2016," IBM researchers said. "In 2020, it appears that TrickBot's vast bank fraud is an ongoing project that helps the gang monetize compromised accounts."
The name TrickMo is a direct reference to a similar kind of Android banking malware called ZitMo that was developed by Zeus cybercriminal gang in 2011 to defeat SMS-based two-factor authentication.

The development is the latest addition in the arsenal of evolving capabilities of the banking trojan that has since morphed to deliver other kinds of malware, including the notorious Ryuk ransomware, act as an info stealer, loot Bitcoin wallets, and harvest emails and credentials.
Abusing Android's Accessibility Features to Hijack OTP Codes.

Initially spotted by the CERT-Bund last September, the TrickMo campaign works by intercepting a wide range of transaction authentication numbers (TANs), including one-time password (OTP), mobile TAN (mTAN), and pushTAN authentication codes after victims install it on their Android devices.
CERT-Bund's advisory went on to state that the Windows computers infected by TrickBot employed man-in-the-browser (MitB) attacks to ask victims for their online banking mobile phone numbers and device types in order to prompt them to install a fake security app — now called TrickMo.

             Trickbott Banking Malware.

But given the security threats posed by SMS-based authentication — the messages can be easily hijacked by rogue third-party apps and are also vulnerable to SIM-swapping attacks — banks are beginning to increasingly rely on push notifications for users, which contain the transaction details and the TAN number.
To get over this hurdle of getting hold of the app's push notifications, TrickMo makes use of Android's accessibility features that allows it to record a video of the app's screen, scrape the data displayed on the screen, monitor currently running applications and even set itself as the default SMS app.
What's more, it prevents users of infected devices from uninstalling the app.
A Wide Range of Features
Once installed, TrickMo is also capable of gaining persistence by starting itself after the device becomes interactive or after a new SMS message is received. In addition, it features an elaborate settings mechanism that lets a remote attacker issue commands to turn on/off specific features (e.g., accessibility permissions, recording status, SMS app status) via a command-and-control (C2) server or an SMS message.

When the malware is run, it exfiltrates a wide range of information, including —
Personal device information
SMS messages
Recording targeted applications for a one-time password (TAN)
Photos
But to avoid raising suspicion when stealing the TAN codes, TrickMo activates the lock screen, thereby preventing users from accessing their devices. Specifically, it uses a fake Android update screen to mask its OTP-stealing operations.
And lastly, it comes with self-destruction and removal functions, which allows the cybercrime gang behind TrickMo to remove all traces of the malware's presence from a device after a successful operation.
The kill switch can also be activated by SMS, but IBM researchers found that it was possible to decrypt the encrypted SMS commands using a hard-coded RSA private key embedded in the source code, thus making it possible to generate the public key and craft an SMS message that can turn the self-destruct feature on.
Although this means that the malware can be remotely eliminated by an SMS message, it's fair to assume that a future version of the app could rectify the use of hard-coded key strings for decryption.
"The TrickBot trojan was one of the most active banking malware strains in the cybercrime arena in 2019," IBM researchers concluded.
"From our analysis, it is apparent that TrickMo is designed to help TrickBot break the most recent methods of TAN-based authentication. One of the most significant features TrickMo possesses is the app recording feature, which is what gives TrickBot the ability to overcome the newer pushTAN app validations deployed by banks."

THN

#osutayusuf

@osutayusuf.

Comments

Popular posts from this blog

We Bring You Brief Series of Sanctions Against Uganda Government Officials.

πŸ“Έ: Gen Abel Kandiho. On 9-December-2021, USA slapped sanctions against the then CMI Commander Gen Abel Kandiho. πŸ“Έ: Gen Kale Kayihura. On 9-December-2022, UK slapped sanctions against former Police Boss Gen Kale Kayihura. πŸ“Έ: Commissioner General of Prisons, Johnson Byabashaija. Again on this 4-December-2023, the same USA has slapped sanctions against Uganda Prisons Commander Johnson Byabashaija over alleged torture and human rights abuses in Prisons across Uganda. We ask, has USA and UK made December as an LCM to slap sanctions against high ranking government officials in Uganda even when the sanctions just remain on paper without deeper investigations to ascertain logical conclusions or remedy to that effect ?. #iip_updates  #Information_is_Power  #we_inform_the_uninformed

How to Host a Website for Free From Your PC or Laptop.

Why pay for a web hosting service when your old computer can do the same thing? Learn how to self-host your site. If you're planning to launch a website but don't want to pay recurring monthly or annual hosting fees, you can use any old laptop or desktop PC to host a website for free. It's a great way to utilize your old system instead of throwing it away. In this guide, we will install and set up services on our 10-year-old laptop to host a WordPress, Joomla, or custom HTML or PHP-based website with a free SSL certificate. MAKEUSEOF VIDEO OF THE DAY Things You Will Need to Host a Website Following are the pre-requisites to host a website for free from home with just your computer: An old laptop or PC running Ubuntu Server. A registered domain name for your website Ethernet cable to connect the laptop or PC to router for reliable and fast connection Step 1: Update and Upgrade the Packages After  installing Ubuntu Server on your computer , execute the following c...

WHERE IS MINISTER OF SEX SIMON LOKODO?. (He deserves a battle of soda from me! Ministe`r esalanga mabee. He is quick to run after Mrs Dr Stella Nyanzi and other Opposition elements. Government aza aza edo zuu vaa kpere bua). Anyway, below is the article! POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit'  Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos. Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.

POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit' Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says  Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos . Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.