© 2025 CoolTechZone - Latest tech news,
product reviews, and analyses.

New Android malware variants of TrickMo stealing PINs via banking overlays


Security analysts have found 40 new variants of TrickMo. It acts as a banking trojan and serves users with overlays of fake login screens in order to steal login credentials and perform unauthorized transactions.

TrickMo has been around since at least 2019 to perform attacks on Android users. Last month, cybersecurity firm Cleafy discovered a new variant of the Android malware, with newly integrated anti-analysis features that complicated its classification.

“The malware’s purpose is to evade detection and hinder the efforts of cybersecurity professionals to analyse and mitigate this threat,” the company wrote in an in-depth analysis of the malware.

Security experts at Zimperium decided to conduct their own research and identified 40 recent variants of the malicious software, including 16 droppers and 22 iterations with distinct command-and-control (C2) servers.

Key features of the new TrickMo variations include one-time passwords (OTP) interceptions, screen recording, data exfiltration, remote control, automatic permission granting and auto-click on prompts, accessibility services abuse, and overlay display and credential theft.

“These capabilities enable the malware to effectively access any type of information stored on the device. Moreover, these capabilities can be combined to facilitate unauthorized access to bank accounts and financial transactions, potentially resulting in significant financial losses for victims,” researchers conclude.

Zimperium also found some samples of TrickMo that are capable of stealing an Android device’s unlock pattern or PIN. To obtain this information, the malware deploys a deceptive user interface that mimics the device’s unlock screen. When the user enters their unlock pattern or PIN, the page transmits the captured PIN or pattern details, along with a unique device identifier to a PHP script.

According to the researchers, this information allows threat actors to unlock a device when it’s not actively monitored to perform on-device fraud.

In addition, the security experts were able to gain access to several C2 servers and discovered 13,000 unique IP addresses belonging to victims of TrickMo. Most victims were located in Canada (37.2%) and the United Arab Emirates (12.6%), but also Turkey (9.4%) and Germany (8.8%). The United States only accounted for 1.6% of all victims.

The stolen credentials are not limited to banking information, but also encompasses enterprise platforms, job and recruitment sites, e-commerce platforms, trading platforms, social media accounts, streaming services, and VPN and other security and privacy applications.

“This underscores the critical importance of protecting mobile devices, as they can serve as a primary entry point for cyberattacks on organizations,” researchers emphasize.

TrickMo is primarily being spread through phishing. Google Play Protect blocks all known variants of TrickMo. So downloading APKs from outside the Google Play Store isn’t the best idea.

To protect users and devices from TrickMo and similar malware, Zimperium recommends deploying proactive and robust protection and mitigation measures.


Leave a Reply

Your email address will not be published. Required fields are marked