{
	"id": "9d11c452-88b3-483e-8df0-14b79cd9da35",
	"created_at": "2026-04-06T00:13:59.899605Z",
	"updated_at": "2026-04-10T03:20:45.152062Z",
	"deleted_at": null,
	"sha1_hash": "20dd3f3d690f16c5bfcfa1857a3978b32916be4b",
	"title": "A new TrickMo saga: from banking trojan to victim's data leak",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8736240,
	"plain_text": "A new TrickMo saga: from banking trojan to victim's data leak\r\nBy Michele Roviello, Alessandro Strino\r\nArchived: 2026-04-05 15:32:59 UTC\r\nKey Points\r\nIn June, the Cleafy Threat Intelligence team identified an unclassified Android banking Trojan. Subsequent\r\nanalyses revealed that the malware was a variant of TrickMo, albeit with newly incorporated anti-analysis\r\nmechanisms.\r\nThe mechanisms include using malformed ZIP files in combination with JSONPacker. In addition, the\r\napplication is installed through a Dropper app that shares the same anti-analysis mechanisms. These\r\nfeatures are designed to evade detection and hinder cybersecurity professionals' efforts to analyse and\r\nmitigate the malware.\r\nThe sample analysis allowed us to trace the structure of the command-and-control (C2) server and the\r\norganisation of exfiltrated data, highlighting critical endpoints used to store and manage stolen\r\ninformation. By gaining access to these endpoints, we uncovered sensitive files, including credentials and\r\npictures, exfiltrated from infected devices.\r\nThe new findings underscore an enhancement in the Threat Actor’s capabilities. Although TrickMo retains\r\nthe typical functionalities of an Android banking Trojan, the data collected from infected devices could\r\nenable the attacker to undertake additional actions, compromising the victim on multiple levels.\r\nIntroduction\r\nCleafy’s Threat Intelligence team observed an interesting Android malware sample in early June, initially\r\nclassified as unknown. Further analyses revealed that the malware was a variant of the banking Trojan TrickMo,\r\nbut with newly integrated anti-analysis features that complicated its classification.\r\nTrickMo has a well-documented history of targeting Android devices. It emerged as part of TrickBot’s evolution,\r\nenabling TAs (Threat Actors) to expand the infection to the Android environment. The introduced anti-analysis\r\nmechanisms, which consist of a combination of different techniques known as malformed ZIP, JSONPacker,\r\nand dropper apps, highlight the malware's ever-evolving nature. The malware's purpose is to evade detection and\r\nhinder the efforts of cybersecurity professionals to analyse and mitigate this threat.\r\nNevertheless, the sample analysis also allowed us to trace the structure of the command-and-control (C2) server\r\nand the management of exfiltrated data, highlighting critical endpoints used to store the stolen information. We\r\nuncovered sensitive files, including credentials and pictures, exfiltrated from infected devices by gaining access to\r\nthese endpoints.\r\nWhat makes this discovery particularly noteworthy is the potential impact of the compromise on a victim user. A\r\nTA's actions with the exfiltrated data extend beyond banking fraud, potentially triggering identity theft scenarios.\r\nhttps://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nPage 1 of 18\n\nMoreover, as highlighted in this document, the exfiltrated data could be accessible to third parties without\r\nauthentication, exposing the user to multiple attackers.\r\nUltimately, in the following sections, we will delve deeper into how a TrickMo infection can expose the user to\r\nmultiple levels of risk, including banking fraud, identity theft, and data leakage.\r\nHistorical Overview\r\nCERT-Bund identified TrickMo for the first time in 2019. The malware was designed to facilitate financial fraud\r\nby intercepting one-time passwords (OTPs) and other two-factor authentication (2FA) mechanisms crucial for\r\nsecure banking transactions. Its primary targets were banking applications across Europe, particularly in Germany.\r\nThe malware represents an evolution of the TrickBot group’s malicious activities for the mobile domain.\r\nTrickBot, originally designed to target Windows systems, quickly became famous for its ability to steal banking\r\ncredentials and other sensitive information. As cybersecurity defences improved, the TrickBot group developed\r\nTrickMo to target Android devices, leveraging and adapting the sophisticated techniques that made TrickBot\r\nsuccessful. Over time, TrickMo has continually evolved, incorporating advanced obfuscation techniques and anti-analysis mechanisms to thwart detection and analysis efforts by cybersecurity professionals.\r\nThe malware’s key features include:\r\n1. Interception of One-Time Passwords (OTPs): it can intercept OTPs sent via SMS or generated by\r\nauthenticator apps, allowing cybercriminals to bypass 2FA and authorise fraudulent transactions.\r\n2. Screen Recording and Keylogging: The malware can record the victim's screen and capture keystrokes,\r\nproviding attackers with sensitive information such as login credentials and PINs.\r\n3. Remote Control Capabilities: TrickMo enables remote control of the infected device, allowing attackers\r\nto perform various actions, including initiating transactions and modifying account settings without the\r\nuser's knowledge. With these capabilities, TrickMo can enable TAs to perform the On-Device Fraud (ODF)\r\nscenario, one of the most dangerous types of banking fraud.\r\n4. Accessibility Service Abuse: By exploiting Android's accessibility services, TrickMo can grant itself\r\nelevated permissions, manipulate user inputs, and capture data from other apps, making it particularly\r\neffective in targeting banking applications.\r\n5. Advanced Obfuscation Techniques: TrickMo continually evolves its obfuscation methods to avoid\r\ndetection. It uses sophisticated code-hiding techniques to make it difficult for security researchers to\r\nanalyse the malware.\r\n6. Anti-Analysis Mechanisms: TrickMo incorporates sophisticated methods to evade detection, including\r\nvarious techniques to detect and thwart virtualised environments and analysis tools.\r\nThe recent discovery of TrickMo's new anti-analysis mechanisms highlights the malware's continuous evolution.\r\nThe following sections will discuss these techniques in detail, providing deeper insights into how TrickMo\r\noperates. Moreover, the analysed sample revealed characteristics of the malware that extend beyond the typical\r\nfunctionalities of a banking Trojan, possibly aligning with those of an infostealer.\r\nMalicious App Overview\r\nhttps://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nPage 2 of 18\n\nThe malicious app is distributed via a dropper disguised as the Google Chrome browser. Upon installation, the\r\napp displays a warning message prompting users to update Google Play services.\r\nIf the user confirms the update, another APK containing the TrickMo malware will be installed. The new app is\r\ndeceptively named “Google Services” and poses as a legitimate instance of Google Play Services. Upon\r\nlaunching, the app displays a window to ask the user to enable Accessibility services for the app. It guides the\r\nusers through the process by instructing them to navigate to “Settings” and “Downloaded Services”. This social\r\nengineering tactic exploits the user's trust in familiar names and interfaces, thereby granting the malware the\r\nelevated permissions to carry out its malicious activities undetected.\r\nFigure 1 - Malicious app behaviour\r\nAccessibility services are designed to assist users with disabilities by providing alternative ways to interact with\r\ntheir devices. These services can perform various actions, such as reading text aloud, automating repetitive tasks,\r\nand simplifying navigation. However, when exploited by malicious apps like TrickMo, these services can grant\r\nextensive control over the device.\r\nThis elevated permission allows TrickMo to perform various malicious actions, such as intercepting SMS\r\nmessages, handling notifications to intercept or hide authentication codes, and executing HTML overlay attacks to\r\nsteal user credentials. Additionally, the malware can dismiss keyguards and auto-accept permissions, enabling it to\r\nhttps://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nPage 3 of 18\n\nintegrate seamlessly into the device's operations. These capabilities allow TrickMo to conduct financial fraud,\r\nmaking it extremely difficult to detect and remove from the infected device.\r\nAnti-analysis Mechanisms Dropper\r\nAndroid droppers are applications used to install additional apps on the device. This type of application contains\r\nonly one functionality, i.e. the update functionality, that may be abused by TAs. Through this functionality, TAs\r\ncan deceive the user by proposing an update for the application, allowing the installation of a second, possibly\r\nmalicious, application.\r\nAs noted in the previous paragraph, in this case, the dropper is disguised as a bogus Chrome Browser APK, which\r\nincludes another APK infected with the TrickMo malware. This malicious APK is stored in one of its resources,\r\nspecifically the file assets/base.apk.\r\nFigure 2 - Dropper code installing malicious APK\r\nDroppers can be highly effective in perpetrating attacks. Not only do they disguise themselves as legitimate\r\napplications, but they are also developed with minimal fingerprinting (even in terms of permissions requested\r\nduring installation) to minimise their detection. Moreover, in this specific case, the analysed dropper employs the\r\nsame anti-analysis protections discussed in the following paragraphs to further minimise detection.\r\nMalformed ZIP\r\nOne of the recently introduced anti-analysis mechanisms employed by the latest TrickMo variant involves using\r\nmalformed ZIP files. In this tactic, the APK file is manipulated by adding directories with the same names as\r\ncrucial files, such as AndroidManifest.xml and classes.dex.\r\nhttps://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nPage 4 of 18\n\nFigure 3 - Malformed ZIP file\r\nThis clever obfuscation strategy can cause an unzip operation to overwrite these critical files, potentially hindering\r\nsubsequent analysis. When security researchers or automated analysis tools attempt to extract and examine the\r\ncontents of the APK, the malformed structure can lead to errors or incomplete extractions, significantly\r\ncomplicating the analysis process and providing TrickMo with an additional layer of evasion.\r\nFigure 4 - Malformed ZIP file extraction\r\nDespite this hindrance, the AndroidManifest.xml file can still be retrieved using apktool, even though the\r\nmalformed ZIP technique can obstruct analysis performed by some of the most common tools, such as JADX.\r\nApktool's ability to decompile and decode APK files allows researchers to bypass this obfuscation method and\r\ngain critical insights into the malware's structure and behaviour, especially after retrieving the Android Manifest\r\nFile. The latter reveals a set of suspicious permissions commonly associated with Android banking trojans. These\r\npermissions enable the malware to perform various malicious activities, including intercepting communications,\r\naccessing sensitive data, and manipulating device settings. Moreover, the file contains several suspicious\r\nactivities, services, and receivers related to the package dreammes.ross431.in.\r\nhttps://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nPage 5 of 18\n\nFigure 5 - Receiver with suspicious permissions\r\nUnpacking\r\nDespite multiple references within the application Manifest File to the package dreammes.ross431.in, this package\r\nis not present in the original APK. This absence suggests that the application is packed, a tactic commonly\r\nemployed to conceal malicious components.  Specifically, the packer used in this instance is identified as\r\nJSONPacker, which effectively hides the malicious DEX file containing critical code for various actions,\r\nservices, and receivers.\r\nWhen the app is launched on the device, the payload is unpacked through the class com.turkey.inner.Uactortrust,\r\nwhere the malicious DEX file is retrieved, decrypted, and loaded from the path\r\n/data/user/0/dreammes.ross431.in/app_inflict/wF.json.\r\nhttps://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nPage 6 of 18\n\nFigure 6 - Unpacking code\r\nMalware Features\r\nThe unpacked DEX file reveals the app's malicious functionalities. The malware can respond to a series of\r\ncommands issued by the C2 server, allowing it to perform all the operations necessary to carry out financial fraud\r\nand other malicious activities, such as:\r\nIntercepting SMS messages by changing the default SMS application.\r\nRetrieves all photos stored on the device.\r\nRecord screen activity and enable remote access and control.\r\nPerform clicks and gestures on the device.\r\nThe complete list of commands is reported in the Appendix of this document.\r\nParticularly interesting is the functionality of performing HTML Overlay Attacks. The malware retrieves the list\r\nof the applications installed on the infected device; then, the C2 server, after receiving the list, will send a\r\ncommand labelled “SaveHtml” accompanied by the package name and an overlay URL. The URL will point to an\r\nHTML file later used as an HTML Overlay Injection page.\r\nhttps://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nPage 7 of 18\n\nFigure 7 - Method to retrieve the list of installed apps\r\nCommand-and-Control (C2) Server Communication\r\nThe analysed TrickMo Android banking trojan communicates with its command-and-control (C2) server using the\r\nHTTP protocol, specifically through a domain extracted from the malware configuration. This communication\r\nchannel relays commands from the attackers to the infected device and exfiltrates sensitive data. Through this C2\r\nserver, the attackers can manage the malware's activities, receive stolen information, and issue new instructions to\r\nthe infected devices, ensuring continuous and dynamic control over the compromised systems.\r\nFigure 8 - Constants class with C2 information\r\nThe initial message sent to the C2 server consists of an HTTP POST request to the endpoint /c. The body of this\r\nrequest contains a JSON file with detailed information about the infected device, including the phone number,\r\nmodel, and a comprehensive list of apps installed on the device. This information enables the attackers to tailor\r\ntheir malicious activities to the specific characteristics of each infected device, enhancing the effectiveness of their\r\ncampaigns and ensuring continuous and dynamic control over the compromised systems.\r\nhttps://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nPage 8 of 18\n\nFigure 9 - HTTP request to the /c endpoint\r\nSubsequently, the malware transmits another message to the C2 server to request the Clicker configuration.\r\nClicker configuration\r\nThe Clicker configuration showcases a sophisticated method of controlling an infected device via the Accessibility\r\nService. To exploit it, the malware combines a class named Clicker with a clicker.json file saved in the assets\r\ndirectory. The file can also be updated by downloading new versions from the C2 server.\r\nFigure 10 - HTTP request to the /config endpoint\r\nhttps://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nPage 9 of 18\n\nThe JSON file contains the package names on which the Accessibility service operates an “auto-click”\r\nfunctionality. For example, one operation that may be performed is automatically accepting permissions for the\r\nmalware on the device.\r\nFigure 11 - Auto acceptance of permissions through the Accessibility Service\r\nThis configuration is crucial as it enables the execution of operations that exploit the Accessibility Service,\r\nallowing the attackers to perform automated actions on the device. The Clicker configuration targets a mix of\r\nsystem applications and utility services, including settings, package installers, and system managers. This\r\nindicates TrickMo's intent to gain profound control over device configurations by disabling security features and\r\nenabling permissions without user consent.\r\nThe actions defined in the Clicker.json file can be categorised into several types of payloads:\r\nBlocking system updates (e.g., Samsung Update).\r\nDisabling security features.\r\nPreventing the uninstallation of certain apps.\r\nThe languages and text filters in the JSON configuration suggest a focus on German and English-speaking users.\r\nPhrases like \"Aktivieren,\" \"App-info,\" and \"Deinstall\" indicate that the malware is designed to interact with\r\ndevices set to German, hinting at potential victim geolocations in Germany, Austria, or Switzerland. Similarly,\r\nEnglish phrases such as \"Activate,\" \"App info,\" and \"Uninstall\" suggest that the malware also targets devices set\r\nto English, indicating potential victims in the United Kingdom and the United States.\r\nFigure 12 - German language found in the Clicker configuration\r\nMoreover, the same infrastructure leveraged for controlling the botnet and retrieving additional configurations is\r\nalso employed to store the data exfiltrated from the victim’s device, including logs, credentials, and photos. The\r\nfollowing section discusses the specifics of the information that can be extracted in depth. The analysis revealed\r\nthat the C2 server does not provide an authentication mechanism to access the obtained data, meaning third parties\r\nhttps://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nPage 10 of 18\n\ncould also access it. Although a login page is provided, the data is accessible by knowing specific endpoints on the\r\nserver, which are easily guessable, thereby further exposing the victims.\r\nData leak from C2 Server\r\nThis chapter delves into the numerous misconfigurations in the Command and Control (C2) infrastructure\r\nleveraged by TrickMo. These misconfigurations, if exploited, provide access to a significant portion of the data\r\nexfiltrated from the infected devices of victims targeted by TrickMo distribution campaigns. The data stored\r\nwithin the C2 server encompasses a wide range of sensitive information, including personal photos, documents,\r\nconnection logs, credentials, and more, totalling 12 GB of files. This analysis underscores the critical security\r\nlapses in the C2 setup, which not only jeopardise the privacy of victims but also highlight the operational\r\ndeficiencies of the TAs behind TrickMo.\r\nOur in-depth analysis of the command-and-control (C2) server unveiled several critical endpoints that play pivotal\r\nroles in the malware's operation.\r\nOne of the folders contains a list of IP addresses presumably associated with the compromised devices. This list\r\nenables the attackers to keep track of infected devices and manage their operations more effectively.\r\nhttps://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nPage 11 of 18\n\nFigure 13 - Directory listing of the logs stored on the C2 server\r\nAnother folder reveals a list of subdirectories identified by numerical filenames. Each subdirectory contains\r\ndetailed logs of operations performed on the compromised devices, providing the attackers with a comprehensive\r\nrecord of their malicious activities. These logs can include information on intercepted communications, executed\r\ncommands, and other actions carried out by the malware, further highlighting the sophisticated level of control the\r\nattackers maintain over the infected devices.\r\nFigure 14 - Log file on the C2 Server\r\nFurthermore, the C2 provides HTML files used in HTML overlay attacks. These files include deceptive login\r\npages for various services, including bank accounts such as ATB Mobile and Alpha Bank and cryptocurrency\r\nplatforms like Binance. By displaying these overlays, TrickMo can effectively phish for user credentials, enabling\r\nattackers to gain unauthorised access to sensitive accounts.\r\nhttps://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nPage 12 of 18\n\nFigure 15 - Overlaid HTML pages\r\nA third endpoint is responsible for storing CSV files that contain captured username and password combinations.\r\nThis endpoint serves as a centralised repository for the stolen credentials, allowing attackers to access a wealth of\r\nsensitive login information. This organised storage facilitates using these credentials in further fraudulent\r\nactivities, such as unauthorised access to financial accounts and identity theft.\r\nFigure 16 - Stolen credentials\r\nFinally, a specific folder is dedicated to storing ZIP files containing all the images extracted from the\r\ncompromised devices. These images include potentially sensitive personal pictures, identification documents, and\r\nfinancial information. Attackers can use this data to gather further intelligence about the victims, significantly\r\ncompromising their privacy and increasing security risks for the affected individuals.\r\nhttps://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nPage 13 of 18\n\nFigure 17 - Stolen pictures\r\nHence, the data leak from TrickMo's Command and Control (C2) infrastructure exposes a wealth of sensitive\r\ninformation. This breach amplifies the threat of further exploitation by TAs or third parties. When a TA gains\r\naccess to credentials and sensitive photos, the range of potential malicious activities expands significantly. With\r\nuser credentials, including usernames and passwords, the TA can easily infiltrate various online accounts, such\r\nas banking, email, social media, and other personal services. This access enables direct financial theft,\r\nunauthorised money transfers, and fraudulent purchases. Compromised email accounts can also be leveraged\r\nto reset passwords for other services, further extending the attacker's reach.\r\nSensitive photos, such as images of passports, credit cards, and personal identification documents, can be used to\r\ncommit identity theft. The TA can create fake identities or verify stolen accounts to bypass security checks. These\r\nphotos can also be exploited for Social Engineering attacks, blackmail, or extortion. For instance, personal or\r\ncompromising pictures can be used to coerce victims into paying ransom or performing actions beneficial to the\r\nattacker.\r\nFurthermore, combining credentials and sensitive photos enhances the TA's ability to perform highly targeted\r\nphishing attacks. Using personal information and images, the attacker can craft convincing messages that trick\r\nvictims into divulging even more information or executing malicious actions. Exploiting such comprehensive\r\npersonal data results in immediate financial and reputational damage and long-term consequences for the victims,\r\nmaking recovery a complex and prolonged process.\r\nConclusions\r\nThe analysed TrickMo sample and its ability to intercept communications, manipulate device settings, and access\r\nsensitive data underscore the advanced nature of this sample and the persistent efforts of its creators to evade\r\ndetection (e.g., malformed ZIP and JSONPacker) and enhance its capabilities. However, this analysis also gave us\r\nhttps://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nPage 14 of 18\n\nmore insights about the C2 server, which revealed the structure and organisation of exfiltrated data, highlighting\r\ncritical endpoints that store and manage stolen information.\r\nMoreover, the TAs behind TrickMo made multiple OPSEC mistakes, publicly exposing part of the exfiltrated data\r\n(including pictures exfiltrated from infected devices by gaining access to these endpoints). These images\r\ncontained valuable information such as passports, credit card details, and other personal documents,\r\ndemonstrating the extent of data compromise and the level of control the attackers have over the infected devices.\r\nThis shallowness, leaving leaked data publicly available, should not be undertaken because it exposes victims to\r\nmultiple threats that span from identity theft, fraud, extortion, etc. However, it's worth mentioning that the impact\r\nof that information is not limited to cyberspace but could also involve a physical threat, with even more risks.\r\nMoreover, it's crucial to highlight that the exposed information can be exploited by various TAs who may access\r\nthe leaked data for purposes entirely different from the original intent (banking fraud in the case of TrickMo).\r\nThese bad actors can leverage the information for various malicious activities, each potentially more damaging\r\nthan the last.\r\nUnder these circumstances, it is crucial to re-evaluate the risks associated with such threats, emphasising the\r\nconsequences of these actions in the medium and long term rather than focusing on the near future. This\r\ncomprehensive assessment underscores the importance of robust data protection and systems with enhanced\r\npredictive capabilities to prevent malicious actions arising from such threats.\r\nAppendix 1: Malware Commands\r\nID Command Description\r\n1 Server Configures the C\u0026C (Command and Control) server details.\r\n2 Interval\r\nSets the frequency at which the malware communicates with the\r\nC\u0026C server.\r\n3 DeleteAll\r\nDeletes all data or traces of the malware from the infected\r\ndevice.\r\n4 SelfDestroy\r\nTriggers the self-destruction of the malware to remove itself\r\nfrom the device.\r\n6 SetSmsApp Changes the default SMS application on the infected device.\r\n7 SetPhone Modifies phone settings or configurations.\r\n8 SendSms Sends SMS messages to specified numbers.\r\n9 ShowPopup Displays a popup message on the infected device.\r\n10 ActiveInterval Sets the active time interval for the malware's operations.\r\nhttps://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nPage 15 of 18\n\nID Command Description\r\n11 RequestInfo\r\nRequests specific information from the infected device, such as\r\ncontacts or messages.\r\n12 GetAllPhotos Retrieves all photos stored on the infected device.\r\n13 GetPhoto Retrieves a specific photo from the infected device.\r\n14 VNC\r\nEnables remote access and control of the infected device using\r\nVirtual Network Computing (VNC) technology.\r\n15 ScreenRecord Records the screen activity of the infected device.\r\n16 LoadModule Downloads and executes additional modules or payloads.\r\n17 StartOrInstall\r\nStarts a specific application or installs a new one on the infected\r\ndevice.\r\n18 SetClickerConfig Configures the clicker settings for automated clicking actions.\r\n19 ShowDialog Displays a dialog box on the infected device.\r\n20 ShowNotification Shows a notification on the infected device.\r\n21 SetVars Sets variables or parameters for the malware's operation.\r\n22 ReadSms Reads SMS messages from the infected device.\r\n23 RequestIgnoreBatteryOptimizations\r\nRequests the device to ignore battery optimization settings for\r\nthe malware.\r\n24 ShowCover Displays a full-screen cover to hide malicious activities.\r\n25 UnlockScreen Attempts to unlock the device's screen.\r\n26 DisableNotifications\r\nDisables notifications to prevent the user from seeing alerts\r\nabout the malware.\r\n27 PressHome Simulates pressing the home button.\r\n28 PressBack Simulates pressing the back button.\r\n29 OpenSetNewPasswordSettings Opens the settings to set a new password on the device.\r\n30 SaveHtml Saves HTML content to the device.\r\n31 PressRecents Simulates pressing the recents button to show recent apps.\r\n32 OpenPowerDialog Opens the power dialog for options like shutdown or restart.\r\nhttps://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nPage 16 of 18\n\nID Command Description\r\n33 KillBackgroundProcesses Terminates background processes running on the device.\r\n34 RequestOverlayPermission Requests permission to draw over other apps.\r\n35 RequestPermissions Requests additional permissions from the user.\r\n36 OpenGoogleProtectSettings Opens the settings for Google Play Protect.\r\n37 TakeScreenshot Captures a screenshot of the device's display.\r\n38 Update Updates the malware to a newer version.\r\n39 OpenAccessibilitySettings Opens the accessibility settings menu.\r\n40 GetAllVideos Retrieves all video files stored on the infected device.\r\n41 GetVideo Retrieves a specific video from the infected device.\r\n42 OpenNotificationSettings Opens the notification settings menu.\r\n43 OpenAppSettings Opens the settings for a specific application.\r\n44 SendUssd\r\nSends a USSD code (Unstructured Supplementary Service\r\nData) to perform actions like balance checks or top-ups.\r\n45 ReadCalls Reads the call logs from the infected device.\r\n46 ChangeIcon\r\nChanges the icon of the malware to disguise its presence on the\r\ndevice.\r\nAppendix 2: Indicator of Compromise (IOCs) / TLP-AMBER\r\nWe have identified several Indicators of Compromise (IOCs) that provide critical insights into the TA\r\ninfrastructure and behaviour. However, we have decided to keep these IOCs confidential due to significant\r\nmisconfigurations within the Command and Control (C2) infrastructure leveraged by TrickMo. This decision\r\nstems from the potential risk that additional malicious actors could exploit these vulnerabilities to harvest a\r\nsubstantial amount of sensitive information from the compromised victims within the botnet.\r\nWhile we acknowledge that withholding IOCs might not be well-received within the cybersecurity community, we\r\nprioritise the privacy and security of affected individuals. Consequently, we will disseminate these IOCs under a\r\nTLP-AMBER protocol exclusively to trusted entities such as law enforcement agencies, reputable CERTs, and\r\nbanking institutions.\r\nResearchers and analysts recognised as trusted entities within the community can request access to the IOCs by\r\ncontacting us at labs@cleafy.com. By adopting this cautious approach, we aim to mitigate further exploitation\r\nhttps://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nPage 17 of 18\n\nrisks while ensuring that critical threat intelligence is shared responsibly with those who can act upon it\r\neffectively.\r\nSource: https://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nhttps://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak"
	],
	"report_names": [
		"a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak"
	],
	"threat_actors": [],
	"ts_created_at": 1775434439,
	"ts_updated_at": 1775791245,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/20dd3f3d690f16c5bfcfa1857a3978b32916be4b.pdf",
		"text": "https://archive.orkl.eu/20dd3f3d690f16c5bfcfa1857a3978b32916be4b.txt",
		"img": "https://archive.orkl.eu/20dd3f3d690f16c5bfcfa1857a3978b32916be4b.jpg"
	}
}