{
	"id": "21b76b71-124e-4fa8-8825-196f73cd9cfc",
	"created_at": "2026-04-06T01:29:11.933643Z",
	"updated_at": "2026-04-10T03:32:46.119141Z",
	"deleted_at": null,
	"sha1_hash": "47ee59c3f21e024e9a042ece768cdb1d8aa07927",
	"title": "TrickMo Banking Trojan Resurgence: New Features",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 989560,
	"plain_text": "TrickMo Banking Trojan Resurgence: New Features\r\nBy cybleinc\r\nPublished: 2023-12-04 · Archived: 2026-04-06 00:10:43 UTC\r\nKey Takeaways\r\nTrickMo Banking Trojan, initially identified in September 2019, showed a resurgence in September\r\n2023 with enhanced functionalities.\r\nRecent TrickMo variants use JsonPacker to conceal their code, a packing technique observed in other\r\nbanking trojans.\r\nThe latest TrickMo variant has expanded its capabilities with 45 commands, introducing features such\r\nas stealing screen content, downloading runtime modules, overlay injection techniques, and other\r\nadvanced functionalities.\r\nThis iteration of TrickMo relies on the Accessibility Service to execute Clicker and screen content\r\nexfiltration functionality.\r\nThe malware employs an Overlay attack as the main method to harvest credentials from target\r\napplications.\r\nOverview\r\nThe TrickMo Banking Trojan was identified in September 2019 and was disseminated through the TrickBot\r\nmalware. In March 2020, IBM researchers analyzed a newly discovered Android Banking Trojan known as\r\n“TrickMo.” This Trojan specifically targeted users in Germany with the objective of stealing Transaction\r\nAuthentication Numbers (TANs) by leveraging a screen recording feature.\r\nInterestingly, Cyble Research and Intelligence Labs (CRIL) came across a new variant of this nefarious banking\r\ntrojan via VirusTotal Intelligence in September 2023. This variant of TrickMo displayed enhanced functionalities\r\nupon comparison with the last documented analysis, employing overlay injection techniques to extract credentials\r\nfrom targeted applications instead of relying on screen recording, as observed in the first iteration.\r\nSubsequent to the initial sample discovery, two additional TrickMo banking Trojan samples were detected on\r\nVirusTotal on October 17, 2023 (a03c968ed6f639f766cf562493a90ae7a61e909d99e098aea2abbbf607003337), and\r\nNovember 11, 2023 (55554c599507947c5eb96264a7db9acaa65d2b42742b39b15686836d0fac2ba0). The first of\r\nthese samples masqueraded as the free movie-streaming app “OnStream,” while the other two impersonated Google\r\nChrome.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/\r\nPage 1 of 12\n\nTrickMo Banking Trojan Activity Timeline\r\nA thorough analysis of the timeline of the TrickMo Banking Trojan’s activity revealed a significant campaign\r\nspanning from 2020 through early 2021. In July 2021, a noteworthy shift occurred as the updated variant of TrickMo\r\nadopted the Overlay attack technique as its primary method for credential theft. Subsequently, from July 2021 to\r\n2022, only six samples were identified, with two being new variants\r\n(52d4e516fe21c989cf2faf3e5ebd560c491e75cb439c5591aa3228eea64f4a73 and\r\n493b219932c105a9e2a8dd90dbbd0bb8ffc8bab3035c7353f9beba1747ef0d4e), featuring an augmented set of 40\r\ncommands.\r\nFollowing a period of inactivity, we detected three new instances of the TrickMo Banking Trojan after September\r\n2023, as previously noted. A detailed analysis of the most recent variants revealed the incorporation of five\r\nadditional commands, underscoring the continuous endeavors of the Threat Actor (TA) to improve and upgrade the\r\nmalware. The depicted figure below briefly outlines the evolving timeline of TrickMo Banking Trojan’s activities.\r\nFigure 1 – TrickMo Banking Trojan Activity Timeline\r\nRecently identified variants of the TrickMo Banking Trojan utilizing JsonPacker to conceal their malicious code.\r\nThis packing technique, popular among banking trojans, has been previously observed in well-known malware like\r\nHydra, Ermac, SOVA, and others. Notably, the malware maintains consistency in its package0020name, “d2.d2.d2,”\r\nand exhibits a similar pattern in command and control (C\u0026C) server behavior observed in previous versions. All\r\nrecent samples of the TrickMo Banking Trojan establish communication with a common C\u0026C server, specifically\r\nidentified as “hxxp://keepass[.]ltd/c” and hosted on the IP address “194.169.175[.]138.” Although this malicious IP\r\nhttps://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/\r\nPage 2 of 12\n\nhosts Windows-related malware files, there is currently no clear evidence linking the distribution of TrickMo through\r\nthese malicious files.\r\nFigure 2 –Windows-based malware communicates with the IP of the C\u0026C server\r\nThe figure below shows the admin panel of the C\u0026C server:\r\nFigure 3 – Admin Panel of the CC server\r\nFigure 3 – Admin Panel of the C\u0026C server\r\nAs explained earlier, the latest version of the TrickMo Banking Trojan has significantly expanded its arsenal,\r\nincorporating a total of 45 commands. This updated variant introduces enhanced functionalities, encompassing\r\ncapabilities such as stealing screen content, the capacity to download runtime modules, overlay injection techniques,\r\nand a host of other advanced features. A comprehensive technical analysis of these additions is outlined in the\r\nsubsequent section.\r\nTechnical Analysis\r\nAPK Metadata Information  \r\nApp Name: OnStream\r\nPackage Name: d2.d2.d2\r\nSHA256 Hash: 43e19c7bbaf2d85c3952c4f28cb11ff3c711c3bb0d8396b2ac48a9d4efb955e8\r\nFigure 4 – Application metadata information\r\nFigure 4 – Application metadata information\r\nLike many other widely recognized banking Trojans, TrickMo also leverages the Accessibility Service to carry out\r\nits malicious operations. Upon installation, the malware requests users to grant Accessibility permissions, which it\r\nhttps://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/\r\nPage 3 of 12\n\nsubsequently exploits to automatically grant further permissions and execute Banking Trojan activities.\r\nFigure 5 – Malware prompts to grant Accessibility Service\r\nFigure 5 – Malware prompts to grant Accessibility Service\r\nIn the background, TrickMo establishes a connection with the C\u0026C server at “hxxps://keepass[.]ltd/c” and transmits\r\nvarious data, including a list of installed application package name, locale, device information, Accessibility status,\r\npermission status, and other configuration details relevant to the malware.\r\nC\u0026C communication\r\nFigure 6 – C\u0026C communication\r\nIn recently observed instances of this malware posing as Google Chrome, the malware is instructed by the server to\r\nprompt users to enable the Accessibility Service. The command received by the malware includes a command ID\r\nnumber, along with a message and a description for the button, as illustrated in the figure below.\r\nFigure 7 – Malware receives a command to prompt the user to grant Accessibility service\r\nFigure 7 – Malware receives a command to prompt the user to grant Accessibility service\r\nUpon obtaining permission for the Accessibility Service, the malware begins recording Accessibility logs specifically\r\nfor the “com.android.settings” package. These logs are stored in a text file, named with the package name, date, and\r\ntime, such as “com.android.settings_2023-11-29-07-37-14.txt”. Subsequently, these log files are compressed into a\r\nzip archive and transmitted to the C\u0026C server.\r\nSending Accessibility logs\r\nFigure 8 – Sending Accessibility logs\r\nOverlay Attack\r\nAs previously described, the malware initially gathers the installed application’s package names to identify the target\r\napplication. Upon identifying the target application, the malware then receives a command labeled “30 (SaveHtml)”\r\naccompanied by the package ID and an overlay URL. The malware proceeds to generate an HTML file on the\r\ninfected device using the package ID and saves the content obtained from the provided overlay URL into this file.\r\nThis HTML file will later be used as an HTML Overlay Injection page to show on the targeted application.\r\nMalware saves HTML overlay injection pages on the infected device\r\nFigure 9 – Malware saves HTML overlay injection pages on the infected device\r\nFurthermore, upon establishing a connection to the Overlay URL received alongside the command, the malware is\r\nprovided with a code parameter. If the code parameter is 200, the malware proceeds to load the HTML overlay\r\ninjection page saved on the infected device onto the targeted application using WebView. Additionally, the malware\r\ncan receive the command “11 (RequestInfo),” which includes the Overlay URL. It then loads this URL into the\r\nWebView overlay on the targeted application, allowing it to capture and steal credentials entered by the unsuspecting\r\nvictim.\r\nMalware receives a command to create an Overlay Window on targeted applications\r\nFigure 10 – Malware receives a command to create an Overlay Window on targeted applications\r\nhttps://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/\r\nPage 4 of 12\n\nA few HTML Overlay injection pages designed for various target applications are as follows:\r\nFigure 11 – HTML Overlay injection pages\r\nFigure 11 – HTML Overlay injection pages\r\nBelow are a few identified targeted applications:\r\nApplication Package name Application name\r\nio.metamask MetaMask – Blockchain Wallet\r\npiuk.blockchain.android Blockchain.com: Crypto Wallet\r\ncom.moneybookers.skrillpayments Skrill – Pay \u0026 Transfer Money\r\ncom.paypal.android.p2pmobile PayPal – Send, Shop, Manage\r\ncom.samsung.android.email.provider Samsung Email\r\nus.zoom.videomeetings Zoom – One Platform to Connect\r\ncom.microsoft.office.outlook Microsoft Outlook\r\ncom.wallet.crypto.trustapp Trust: Crypto \u0026 Bitcoin Wallet\r\nco.mona.android Crypto.com – Buy BTC, ETH\r\ncom.kubi.kucoin KuCoin: Buy Bitcoin \u0026 Crypto\r\ncom.facebook.katana Facebook\r\ncom.okinc.okex.gp OKX: Buy Bitcoin BTC \u0026 Crypto\r\ncom.binance.dev Binance: Buy Bitcoin \u0026 Crypto\r\ncom.coinbase.android Coinbase: Buy Bitcoin \u0026 Ether\r\ncom.cmcmarkets.android.cfd CMC: Trading App\r\ncom.amazon.mShop.android.shopping Amazon Shopping\r\ncom.ubercab.eats Uber Eats: Food Delivery\r\ncom.ubercab Uber – Easy affordable trips\r\nuk.co.hsbc.hsbcukmobilebanking HSBC UK Mobile Banking\r\ncom.booking Booking.com: Hotels and more\r\ncom.alibaba.aliexpresshd AliExpress\r\ncom.yahoo.mobile.client.android.mail Yahoo Mail – Organized Email\r\nhttps://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/\r\nPage 5 of 12\n\ncom.google.android.gm Gmail\r\ncom.netflix.mediaclient Netflix\r\ncom.grppl.android.shell.CMBlloydsTSB73 Lloyds Bank Mobile Banking\r\ncom.td TD Canada\r\nde.ingdiba.bankingapp ING Banking to go\r\nde.dkb.portalapp DKB Banking\r\nde.fiducia.smartphone.android.banking.vr VR Banking\r\nde.spardab.banking.privat SpardaBanking\r\nae.ahb.digital Al Hilal Digital\r\nca.bnc.android National Bank of Canada\r\ncom.adcb.bank ADCB\r\ncom.atb.ATBMobile ATB Personal – Mobile Banking\r\ncom.bmo.mobile BMO Mobile Banking\r\ncom.cibc.android.mobi CIBC Mobile Banking®\r\ncom.dib.app DIB MOBILE\r\ncom.myc3card.app com.myc3card.app\r\ncom.fab.personalbanking FAB Mobile\r\nClicker\r\nWithin the assets of the APK file, the malware includes a clicker.json file. This file contains the package names on\r\nwhich the auto-click functionality should operate, along with specified filters and actions to be executed on these\r\napplications.\r\nhttps://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/\r\nPage 6 of 12\n\nFigure 12 – Content of Clicker.json file\r\nThe malware executes actions specified in the Clicker.json file by utilizing the Accessibility Service. With each\r\nevent, the accessibility service retrieves the information from the clicker.json file, passes along event details, and\r\nsubsequently performs actions based on the filters outlined in the JSON file. The malware can auto-execute any\r\nactivity on the infected device without the victim’s knowledge using this feature.\r\nFigure 13 – Perform actions from the Clicker.json file\r\nCollecting Screen Content\r\nIn earlier iterations, the malware employed the MediaProjection API to record screen content. Subsequently, the\r\nmalware underwent modifications, discontinuing the screen recording functionality. Instead, the updated malware\r\nnow observes running applications, captures Accessibility event logs, and saves them in a text file. This collected\r\ndata is then compressed into a zip file and transmitted to the C\u0026C server.\r\nhttps://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/\r\nPage 7 of 12\n\nRecording Accessibility events as a Record Screen feature\r\nFigure 14 – Recording Accessibility events as a Record Screen feature\r\nMoreover, upon receiving the command “15 (ScreenRecord)” along with specific package names, the malware\r\nincorporates these package names into its recording list. Subsequently, it sets the recording status to “enable”,\r\nprompting the malware to initiate the recording of Accessibility logs for the designated target applications.\r\nFigure 15 – Command to receive package names to initiate Accessibility event log recording\r\nCommands Executed By TrickMo\r\nWith each upgrade, the malware gained the ability to execute actions seamlessly without requiring user interaction.\r\nAs mentioned earlier, in the latest variant, the malware introduced five new commands highlighted in the command\r\ntable. These commands are designed to access application and notification settings, gather call logs, change ICON,\r\nand initiate USSD service calls.\r\nExecutes USSD service call\r\nFigure 16 – Executes USSD service call\r\nThe full list of commands executed by the malware is as follows, with the newly added commands highlighted in\r\nbold:\r\nCommand\r\ncode \r\nCommand name  Description \r\n1 Server Set server status in shared preference\r\n2 Interval Get interval time for custom timer\r\n3 DeleteAll\r\nReceives delete all value to abort the\r\nbroadcast\r\n4 SelfDestroy Uninstall itself\r\n6 SetSmsApp Set itself as the default SMS app\r\nhttps://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/\r\nPage 8 of 12\n\n7 TakeScreenshot Saves device phone number\r\n8 SendSms Sends SMS from the infected device\r\n9 ShowPopup Not Implemented\r\n10 ActiveInterval Sets active interval time\r\n11 RequestInfo\r\nCollects stolen credentials from overlay\r\nweb pages\r\n12 GetAllPhotos Upload all photos\r\n13 GetPhoto Uploads single photo\r\n14 VNC VNC not implemented\r\n15 ScreenRecord\r\nReceives package name to initial\r\nrecording Accessibility logs\r\n16 LoadModule Downloads APK\r\n17 StartOrInstall Launch or install a particular package\r\n18 SetClickerConfig Update clicker.json file\r\n19 ShowDialog Shows dialog box\r\n20 ShowNotification Displays notification\r\n21 SetVars Sets URL value to the iconUrl variable\r\n22 ReadSms Collects SMS from the infected device\r\n23 RequestIgnoreBatteryOptimizations\r\nRequest for Battery optimization\r\npermission\r\n24 ShowCover\r\nDisplays overlay window with the\r\nmessage received from the server\r\n25 UnlockScreen Unlocks screen\r\n26 DisableNotifications Disabled notification\r\n27 PressHome Press home button\r\n28 PressBack Press back button\r\n29 OpenSetNewPasswordSettings Open password settings\r\n30 SaveHtml Saves overlay phishing HTML pages\r\n31 PressRecents Press recent button\r\nhttps://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/\r\nPage 9 of 12\n\n32 OpenPowerDialog Opens battery optimization dialog\r\n33 KillBackgroundProcesses Kills running background processes\r\n34 RequestOverlayPermission\r\nRequest to grant Display over Window\r\npermission\r\n35 RequestPermissions Prompts for permission\r\n36 OpenGoogleProtectSettings Open Google Protect settings\r\n37 TakeScreenshot Take screenshots of the infected device\r\n38 Update Update application\r\n39 OpenAccessibilitySettings Open Accessibility Service setting\r\n40 GetAllVideos Get all videos from an infected device\r\n41 GetVideo Get specific video\r\n42 OpenNotificationSettings  Open notification settings\r\n43 OpenAppSettings  Open settings application\r\n44 SendUssd  Makes USSD servicel calls\r\n45 ReadCalls  Collects call log\r\n46 ChangeIcon  Changes ICON\r\nConclusion\r\nThe TrickMo Banking Trojan has demonstrated remarkable resilience and adaptability since its initial discovery in\r\n2019, recently resurfacing in 2023 with upgraded capabilities.\r\nThe malware’s transition to overlay attacks, its use of JsonPacker for code obfuscation, and its consistent behavior\r\nwith the command and control server highlight the threat actor’s dedication to refining their strategies. Notably, the\r\nlatest variants showcase advanced features such as overlay injection techniques, clicker functionality, and the\r\ncapacity to capture screen content.\r\nFurthermore, an intriguing observation reveals the inclusion of a VNC command, though not yet implemented,\r\nsuggesting that the TA is planning to introduce new features in the near future. The resurgence of TrickMo in\r\nSeptember 2023 is a clear example of the ongoing challenges in mobile security, underscoring the need for proactive\r\nmeasures and heightened awareness in the face of evolving cyber threats.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:\r\nhttps://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/\r\nPage 10 of 12\n\nOnly install software from official app stores such as the Play Store or the iOS App Store.\r\nUsing a reputed antivirus and internet security software package is recommended on connected\r\ndevices, including PCs, laptops, and mobile.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nBe careful while opening links received via SMS or emails sent to your mobile device.\r\nGoogle Play Protect should always be enabled on Android devices.\r\nBe wary of any permissions that you give an application.\r\nKeep devices, operating systems, and applications up to date.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Procedure\r\nPersistence\r\n(TA0028)\r\nEvent Triggered Execution:\r\nBroadcast Receivers (T1624.001)\r\nThe malware registered broadcast\r\nreceivers to trigger malicious\r\nactions.\r\nDefense Evasion\r\n(TA0030)\r\nMasquerading: Match Legitimate\r\nName or Location (T1655.001)\r\nTrickMo Masqaurades popular\r\napplications\r\nDefense Evasion\r\n(TA0030)\r\nObfuscated Files or Information:\r\nSoftware Packing (T1406.002)\r\nMalware uses JsonPacker\r\nDefense Evasion\r\n(TA0030)\r\nDownload New Code at Runtime\r\n(T1407)\r\nMalware downloads additional\r\npayload on command\r\nDefense Evasion\r\n(TA0030)\r\nImpair Defenses: Prevent\r\nApplication Removal (T1629.001)\r\nAbuses accessibility service to\r\nprevent uninstallation\r\nDiscovery\r\n(TA0032)\r\nSystem Information Discovery\r\n(T1426)\r\nCollects device information such as\r\ndevice ID, model, and manufacturer\r\nDiscovery\r\n(TA0032)\r\nSoftware Discovery (T1418) Collects installed application details\r\nCollection\r\n(TA0035)\r\nInput Capture: Keylogging\r\n(T1417.001)\r\nUses key logging feature to steal\r\ncredentials\r\nCollection\r\n(TA0035)\r\nData from Local System (T1533) Collect files from storage\r\nCollection\r\n(TA0035)\r\nProtected User Data: SMS\r\nMessages (T1636.004)\r\nSteals SMSs from infected device\r\nhttps://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/\r\nPage 11 of 12\n\nExfiltration\r\n(TA0036)\r\nExfiltration Over C2 Channel\r\n(T1646)\r\nSending exfiltrated data over C\u0026C\r\nserver\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n55554c599507947c5eb96264a7db9acaa65d2b42742b39b15686836d0fac2ba0\r\n2b763a2f9abbb2157a9237c48d56ac985b4a8388\r\nc74014b6ce3190c195fc2d22bfbab99e\r\nSHA256\r\nSHA1\r\nMD5\r\nTrickMo\r\nBanking\r\nTrojan file\r\nhash\r\nhxxp://keepass[.]ltd URL C\u0026C server\r\na03c968ed6f639f766cf562493a90ae7a61e909d99e098aea2abbbf607003337\r\n943670e1fa503b482c38df29cc9e99c9c2cfd0f7\r\nbef3e6f5851be75415eeb95909377af2\r\nSHA256\r\nSHA1\r\nMD5\r\nTrickMo\r\nBanking\r\nTrojan file\r\nhash\r\n43e19c7bbaf2d85c3952c4f28cb11ff3c711c3bb0d8396b2ac48a9d4efb955e8\r\n55e3647bb960f0faba06b39a5ddec26485f03c16\r\na72522b93107881ebb4651ad9258bce2\r\nSHA256\r\nSHA1\r\nMD5\r\nTrickMo\r\nBanking\r\nTrojan file\r\nhash\r\n65d7a2019922d8c97cdc38a2b0f1bb046bf0ec35780847ac5c8fb38469e6cd58\r\n381a8ba257c028e302d6db14170d8c000363d718\r\na6de677f5557816f8bddf306c81eaebc\r\nSHA256\r\nSHA1\r\nMD5\r\nTrickMo\r\nBanking\r\nTrojan\r\nDropper file\r\nhash\r\nSource: https://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/\r\nhttps://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/"
	],
	"report_names": [
		"trickmos-return-banking-trojan-resurgence-with-new-features"
	],
	"threat_actors": [
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775438951,
	"ts_updated_at": 1775791966,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/47ee59c3f21e024e9a042ece768cdb1d8aa07927.pdf",
		"text": "https://archive.orkl.eu/47ee59c3f21e024e9a042ece768cdb1d8aa07927.txt",
		"img": "https://archive.orkl.eu/47ee59c3f21e024e9a042ece768cdb1d8aa07927.jpg"
	}
}