Skip to content

TrickMo

TrickMo is an Android banking trojan originally discovered by CERT-Bund in September 2019 and first analyzed by IBM X-Force in March 2020 as a mobile companion to the TrickBot desktop banking trojan. The original TrickMo functioned as a 2FA bypass tool, intercepting one-time passwords sent via SMS or push notifications to German banking customers whose PCs were already infected with TrickBot. It adopted overlay attacks as its primary credential theft method in 2021, marking its transition from a TrickBot companion into a standalone banking trojan. After a period of low activity, TrickMo resurfaced in late 2023 and escalated through 2024 with substantial upgrades. Cleafy documented new variants in September 2024 employing advanced anti-analysis techniques, overlay injection, and a misconfigured C2 that leaked 12 GB of stolen victim data. Cyble reported on its expanded 45-command instruction set, and Zimperium identified 40 variants, 16 droppers, and 22 active C2 servers along with a fake lock screen designed to steal device PINs and unlock patterns.

Overview

Attribute Details
First Seen September 2019 (CERT-Bund), analyzed March 2020 (IBM X-Force)
Status Active, multiple variants in circulation as of late 2024
Type Banking trojan, credential stealer, 2FA bypass
Attribution Originally linked to TrickBot operators; relationship unclear in 2024 variants
Distribution Phishing, dropper disguised as Google Chrome, TiramisuDropper
Aliases TrickBot Mobile, TrickMo 2.0

Origin and Lineage

TrickMo began as a purpose-built mobile component for the TrickBot ecosystem. IBM X-Force's 2020 analysis documented how TrickBot infections on Windows machines used man-in-the-browser attacks to prompt victims for their mobile phone number and device type, then delivered a fake "security app" that was actually TrickMo. The naming convention mirrors ZitMo (Zeus-in-the-Mobile), a similar 2FA-interception companion developed for the Zeus banking trojan in 2011.

The original TrickMo exclusively targeted German banking customers and focused narrowly on intercepting SMS and push notification OTPs. Germany was one of TrickBot's earliest attack markets when it emerged in 2016, and TrickMo served as its mobile extension for defeating German banks' transaction authentication number (TAN) systems. The malware could intercept OTPs, mobile TANs (mTAN), and pushTAN authentication codes, covering the full spectrum of second-factor methods used by German financial institutions.

In July 2021, TrickMo adopted overlay attacks as its primary credential theft method, marking a shift from a passive OTP interceptor to an active credential phisher. This change effectively severed its dependency on a desktop TrickBot infection, allowing TrickMo to operate as a standalone banking trojan. From mid-2021 through 2022, activity dropped significantly, with only six samples identified, two of which introduced an expanded set of 40 commands.

The 2024 resurgence represents a dramatic expansion in scope and capability. The malware evolved into a full-featured banking trojan with overlay injection, screen recording, device credential theft, accessibility-based automation, and a command set of 45 distinct instructions. The relationship to the original TrickBot group remains unclear, as TrickBot's infrastructure was disrupted by law enforcement in 2022.

Distribution

Dropper Chain

The 2024 TrickMo variants spread through phishing campaigns that deliver a dropper app disguised as Google Chrome. Cleafy documented that the dropper prompts the victim to "update Google Play Services" by tapping a confirmation button. Accepting the prompt downloads and installs the TrickMo payload under the name "Google Services." Both the dropper and the payload share the same anti-analysis mechanisms, suggesting coordinated development.

Vector Details
Phishing Links delivered via SMS and messaging apps directing victims to malicious downloads
Dropper app Disguised as Google Chrome, installs TrickMo as "Google Services"
Social engineering Fake Google Play Services update prompt triggers payload installation
TiramisuDropper Session-based package installer that bypasses Android 13+ accessibility restrictions

TiramisuDropper and Android 13+ Bypass

Android 13 introduced Restricted Settings, which prevents sideloaded apps from requesting accessibility service permissions. This restriction specifically targets apps installed outside of official stores by checking the installation method. Apps installed through session-based package installers (the method used by legitimate app stores) are exempt from this restriction.

TrickMo operators leverage TiramisuDropper, a malware loader that uses session-based package installer APIs to install the payload in a way that mimics a legitimate app store installation. Because the payload appears to have been installed through a session-based installer, Android's Restricted Settings do not block it from requesting accessibility permissions. Data collected from April through December 2024 shows TiramisuDropper facilitating distribution of multiple malware families, with Hook at 29.9% of observed infections, TgToxic at 22%, and TrickMo at 14.8%.

Original Distribution (2019-2020)

The original TrickMo was not distributed independently. TrickBot infections on Windows desktops used man-in-the-browser web injection attacks to display a prompt within the victim's online banking session, requesting their phone number and device type. The victim then received an SMS with a link to download a fake "security app" for their bank. This delivery model required an active TrickBot infection as a prerequisite, making TrickMo entirely dependent on the desktop component for distribution.

Capabilities

Core Features

Capability Implementation
Overlay injection HTML-based fake login pages displayed over targeted banking and crypto apps
OTP interception Captures SMS messages and push notifications containing authentication codes
Screen recording Records device screen to capture credentials and activity
Fake lock screen HTML page mimicking Android unlock screen to steal PIN or pattern
Keyguard dismissal Automatically dismisses device lock screen
Permission auto-accept Grants itself permissions without user interaction via accessibility service
Remote control Operator can interact with the device through accessibility service
Notification interception Reads and hides notifications to capture and suppress 2FA codes
Clicker automation Auto-executes predefined actions on targeted apps via accessibility service
Data exfiltration Steals credentials, photos, call logs, and device information
USSD execution Initiates USSD service calls on the victim's behalf
Self-update Downloads and applies updates to its own configuration and code

Fake Lock Screen

The fake lock screen is TrickMo's most distinctive 2024 addition. Zimperium's analysis revealed that TrickMo displays an HTML page hosted on an external server in full-screen mode, perfectly mimicking the device's native Android unlock prompt. When the victim enters their PIN or draws their unlock pattern, the page transmits the captured credential along with the device's Android ID to a PHP script on the attacker's server.

The fake lock screen is rendered as a deceptive UI that matches the device's actual lock type. With the device unlock credential in hand, operators can access the device during periods when the victim is not actively using it, enabling unattended on-device fraud. This technique is particularly valuable because it gives attackers the ability to unlock the device remotely, approve transactions, and interact with banking apps without the victim's knowledge.

Overlay Injection

TrickMo uses HTML overlay pages to phish credentials for targeted applications. The C2 server delivers overlay configurations through a SaveHtml command that pairs a target package name with an overlay URL. When a targeted app moves to the foreground, TrickMo injects a full-screen HTML page over the legitimate interface, capturing any credentials the victim enters.

Cleafy found that operators had created overlay pages targeting services including Binance, Alpha Bank, and ATB Mobile, among others. The full target list spans banking apps (HSBC, Lloyds Bank, ING, and numerous regional banks), cryptocurrency platforms (MetaMask, Blockchain.com, Binance), financial services (PayPal, Skrill), and widely-used consumer apps (Facebook, Netflix, AliExpress, Uber, Gmail).

Clicker Automation

TrickMo uses a clicker.json configuration file to automate actions via the accessibility service. This file contains package names and corresponding filters and actions that define what TrickMo should do when specific applications are in the foreground. The Clicker function preloads a set of target applications defined by the malware author. When one of these applications launches, TrickMo auto-clicks through UI elements, executes predefined workflows, and performs actions on the device without the victim's knowledge.

Key Clicker operations include automatically accepting permission dialogs for the malware, navigating through system settings to grant itself additional access, and interacting with banking app interfaces during fraud sessions. The clicker.json file contains German language settings, reflecting TrickMo's roots, but targets both system and utility applications across the device.

Accessibility Event Logging

The 2024 variants shifted away from screen recording via the MediaProjection API in favor of collecting accessibility event logs. This approach captures data from running applications that TrickMo initiates through the Clicker function, gathering text content, UI element states, and user interactions. The collected accessibility event log data is compressed into a ZIP file and exfiltrated to the C2 server. This method is stealthier than screen recording because it does not trigger the Android screen recording indicator that users might notice.

Expanded Command Set

Cyble's analysis documented 45 commands supported by the 2024 variants, a substantial increase from the original TrickMo's limited instruction set. The expanded commands cover the following categories:

Category Capabilities
Credential theft Overlay injection management, screen content capture, accessibility event logging
Surveillance Screenshot capture, photo/video recording, call log collection, SMS harvesting
Device manipulation Lock/unlock screen, disable notifications, adjust settings, simulate button presses
Communication Send SMS from victim device, initiate USSD calls
Module management Download runtime modules, update configuration files, self-update
Data exfiltration Upload credentials, photos, device info, accessibility logs to C2
Self-maintenance Uninstall, modify configuration, update clicker.json

Permissions

Permission Purpose
BIND_ACCESSIBILITY_SERVICE Core dependency for overlay triggering, clicker automation, event logging, permission auto-accept, and remote control
SYSTEM_ALERT_WINDOW Display overlay injections and fake lock screen in full-screen mode
READ_SMS Read SMS messages for OTP interception
RECEIVE_SMS Intercept incoming SMS in real-time
SEND_SMS Send SMS from victim device
READ_PHONE_STATE Device fingerprinting and phone number collection
CAMERA Remote photo and video capture
READ_CALL_LOG Harvest call history
INTERNET HTTP-based C2 communication
RECEIVE_BOOT_COMPLETED Persistence across device reboots
FOREGROUND_SERVICE Maintain persistent background operation
REQUEST_INSTALL_PACKAGES Dropper installs main payload
WAKE_LOCK Keep device awake during remote sessions and data exfiltration

The original 2019-2020 TrickMo also set itself as the default SMS application on the device, giving it near-total control over SMS messages. This allowed it to read, intercept, and suppress incoming OTPs before the victim could see them.

Technical Details

Anti-Analysis Mechanisms

Cleafy documented two anti-analysis techniques introduced in the 2024 variants.

Malformed ZIP files: The APK file is manipulated by adding directories with the same names as critical files such as AndroidManifest.xml and classes.dex. When security researchers or automated analysis tools attempt to extract the APK, the unzip operation can overwrite these critical files with the identically named directories, causing decompilation failures in many automated analysis pipelines. Tools like apktool and standard ZIP extractors produce errors or incomplete outputs when encountering this structure.

JSONPacker: TrickMo uses JSONPacker for payload obfuscation, adding another layer that must be unpacked before analysis can proceed. The combination of malformed ZIP structures and JSONPacker obfuscation creates a multi-layered defense against automated analysis and sandbox detection. Both the dropper and the main payload employ these same techniques, indicating they are part of a shared build process.

C2 Communication

TrickMo communicates with its C2 server over HTTP. The initial registration message is an HTTP POST request to the /c endpoint, with the body containing a JSON payload that includes detailed information about the infected device: phone number, device model, and a comprehensive list of installed applications. The C2 server uses this application list to determine which overlay injection pages to deploy, matching installed apps against its library of phishing templates.

Component Details
Protocol HTTP POST to /c endpoint
Registration JSON payload with device fingerprint, phone number, model, and installed app list
Command delivery C2 responds with commands; SaveHtml delivers overlay injection targets
Overlay hosting HTML phishing pages hosted on C2 server, loaded in full-screen WebView
Configuration clicker.json delivered from C2, defines accessibility automation targets
Data exfiltration Credentials, photos, accessibility logs uploaded to C2 endpoints
IP tracking C2 maintains IP list files updated on each successful credential exfiltration

C2 Data Leak

Cleafy's investigation exposed critical misconfigurations in TrickMo's C2 infrastructure. The C2 servers had no authentication mechanism protecting access to exfiltrated data. Anyone with knowledge of the specific endpoints, which were easily guessable, could access the full contents of the stolen data stores.

The exposed data totaled over 12 GB and included:

  • Stolen usernames and passwords stored in CSV files
  • Personal photos taken from compromised devices, including identity documents such as passports and credit cards
  • Device logs and operation records
  • HTML files used for overlay attacks against banking and cryptocurrency platforms
  • IP list files that were regularly updated whenever the malware successfully exfiltrated credentials

Zimperium confirmed approximately 13,000 unique IP addresses belonging to victims within these C2 directories. The IP list files contained millions of records, indicating the extensive number of compromised devices and the scale of credential theft across active campaigns. This misconfiguration meant that not only were the TrickMo operators collecting victim data, but that data was simultaneously exposed to any other threat actor who discovered the C2 endpoints.

Accessibility Service Dependency

TrickMo relies heavily on the Android accessibility service for its core operations. With accessibility permissions, the malware can:

  • Monitor foreground applications to trigger overlay injections at the right moment
  • Intercept and hide notifications to capture and suppress 2FA codes
  • Auto-accept permission dialogs to grant itself additional access without user interaction
  • Dismiss the device keyguard to unlock the screen
  • Capture accessibility event data from all running applications
  • Execute the Clicker automation for interacting with UI elements
  • Simulate user interactions for remote control and on-device fraud

The shift from MediaProjection-based screen recording to accessibility event logging in the 2024 variants reflects an adaptation to Android's increasing visibility around screen recording. The accessibility approach is functionally equivalent for credential capture while avoiding the screen recording notification that Android displays to users.

Original TrickMo Technical Design (2019-2020)

The original TrickMo used a different technical approach from the 2024 variants. IBM X-Force documented that it used screen recording as its primary method for capturing TAN codes, which allowed it to defeat pushTAN app validations where the one-time code was displayed within a banking app rather than sent via SMS. During OTP capture operations, TrickMo activated a fake Android update screen to mask its activity, preventing the victim from seeing the device being manipulated. The malware would set itself as the default SMS app, giving it complete control over incoming and outgoing messages.

Target Regions

Phase Period Regions
Original 2019-2020 Germany exclusively
Overlay transition 2021 Germany primarily, beginning to expand
Resurgence 2024 Canada, UAE, Turkey, Germany, India, US, South Africa, Netherlands

The 2024 expansion beyond Germany reflects TrickMo's evolution from a TrickBot companion tool into an independent banking trojan. Zimperium confirmed at least 13,000 compromised devices, with the highest concentration in Canada. The actual victim count is likely higher given that not all C2 servers were exposed.

The targeted application list spans multiple verticals and regions:

Category Examples
European banking HSBC, Lloyds Bank, ING, Alpha Bank, ATB Mobile
Cryptocurrency Binance, MetaMask, Blockchain.com
Financial services PayPal, Skrill
Consumer apps Facebook, Netflix, AliExpress, Uber, Gmail

The clicker.json configuration file retains German language settings from TrickMo's origins, but the overlay injection targets now span banking applications across multiple continents. India emerged as a significant target market, alongside traditional European targets and new expansion into North America and the Middle East.

Evolution

Period Phase Key Changes
September 2019 Discovery CERT-Bund identifies TrickMo as TrickBot's mobile companion targeting German banks
March 2020 First analysis IBM X-Force documents 2FA bypass via screen recording, SMS interception, fake update screen
2020-2021 Active campaigns TrickBot delivers TrickMo to German banking customers via web injection
July 2021 Overlay adoption TrickMo adopts overlay attacks as primary credential theft method, becomes standalone
2021-2022 Low activity Only six samples identified; two introduce expanded 40-command set
September 2023 Resurgence begins Three new TrickMo instances detected after period of inactivity
September 2024 Major upgrade Cleafy documents anti-analysis (malformed ZIP, JSONPacker), overlay injection, dropper chain, C2 data leak
September 2024 Command expansion Cyble documents 45-command set, clicker automation, accessibility event logging
October 2024 Scale revealed Zimperium identifies 40 variants, 16 droppers, 22 C2 servers, fake lock screen for PIN theft, 13,000+ victims

Notable Campaigns

September 2019: CERT-Bund first identifies TrickMo samples targeting German banking customers. The malware operates as a mobile component of TrickBot, intercepting SMS and push notification OTPs sent by German banks.

March 2020: IBM X-Force publishes the first detailed analysis of TrickMo, documenting its role as a 2FA bypass companion to TrickBot. The analysis reveals that TrickBot's Windows infections use man-in-the-browser attacks to socially engineer victims into installing the mobile component. Screen recording defeats pushTAN protections that SMS interception alone cannot bypass.

July 2021: TrickMo adopts overlay attacks as its primary credential theft technique, marking the transition from TrickBot companion to standalone banking trojan. This shift reduces the malware's dependency on a desktop infection for initial credential theft.

September 2023: Three new TrickMo instances appear after an extended period of low activity, signaling the beginning of the resurgence that would escalate through 2024.

September 2024: Cleafy discloses new TrickMo variants with advanced anti-analysis mechanisms (malformed ZIP files, JSONPacker), overlay injection for banking and cryptocurrency apps, and a dropper disguised as Google Chrome. The investigation also uncovers misconfigured C2 servers leaking 12 GB of stolen victim data, including passports, credit card images, and credentials stored in plaintext CSV files.

September 2024: Cyble reports on TrickMo's resurgence, documenting the expanded 45-command instruction set, clicker automation via clicker.json, accessibility event logging replacing screen recording, new overlay injection capabilities, and runtime module downloading.

October 2024: Zimperium publishes a deep dive identifying 40 TrickMo variants, 16 droppers, and 22 C2 servers. The analysis reveals the fake lock screen mechanism for stealing device PINs and unlock patterns, and confirms at least 13,000 compromised devices across Canada, the UAE, Turkey, and Germany. The fragmented infrastructure, with 22 separate C2 servers, suggests either multiple independent operators or a single group maintaining operational compartmentalization.

Detection

Indicator Type Details
Malformed APK ZIP structure containing directories named AndroidManifest.xml or classes.dex that cause extraction failures
JSONPacker Payload obfuscation layer that must be unpacked before analysis
Dropper masquerading App presenting as Google Chrome that prompts for "Google Play Services" update
Accessibility abuse App requesting accessibility with no legitimate UX justification; clicker automation on system apps
Fake lock screen Full-screen HTML page mimicking device unlock screen, transmitting PIN/pattern to external PHP script
Overlay injection TYPE_APPLICATION_OVERLAY windows rendered over banking, crypto, and consumer apps
C2 pattern HTTP POST to /c endpoint with JSON device fingerprint payload
Default SMS takeover App setting itself as default SMS handler (original variant)

TrickMo's origin as a desktop trojan companion mirrors the ZitMo (Zeus-in-the-Mobile) model from 2011, where mobile malware existed solely to intercept 2FA codes for a PC-based banking trojan. The 2024 TrickMo has outgrown this model entirely, operating as a standalone threat with capabilities rivaling dedicated Android banking trojans.

The fake lock screen technique for stealing device unlock credentials parallels TsarBot's LockTypeDetector feature, which similarly deploys a fake lock screen to capture PINs and patterns. Both families use this stolen credential to enable unattended device access for on-device fraud.

TrickMo's overlay injection and credential theft approach places it alongside Cerberus, Ermac, Godfather, and Xenomorph in the category of overlay-based banking trojans. The anti-analysis techniques (malformed ZIP, JSONPacker) represent a more sophisticated evasion approach than most families in this category employ.

The use of TiramisuDropper for bypassing Android 13+ accessibility restrictions connects TrickMo to other families using the same loader, including Hook and TgToxic. This shared dropper infrastructure suggests either a common supply chain or a dropper-as-a-service model available to multiple malware operators.

The C2 server misconfiguration that exposed 12 GB of victim data echoes similar operational security failures seen across the Android malware landscape, where rapid deployment and infrastructure scaling often outpace the operators' security practices.

References