{
	"id": "c24a4d40-0286-4f0a-87ac-c1fec485cb7e",
	"created_at": "2026-04-06T00:14:01.738176Z",
	"updated_at": "2026-04-10T13:11:33.805099Z",
	"deleted_at": null,
	"sha1_hash": "67fb117c3b938893f2ddcb51df69462551d956fb",
	"title": "Expanding the Investigation: Deep Dive into Latest TrickMo Samples - Zimperium",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 554459,
	"plain_text": "Expanding the Investigation: Deep Dive into Latest TrickMo\r\nSamples - Zimperium\r\nBy Aazim Yaswant\r\nPublished: 2024-10-11 · Archived: 2026-04-05 13:39:51 UTC\r\nExecutive Summary\r\nOn September 10, Cleafy publicly disclosed a new variant of the Banking Trojan called TrickMo. This variant\r\nemployed innovative techniques to evade detection and analysis, such as zip file manipulation and obfuscation. \r\nWhile Cleafy did not release any Indicators of Compromise (IOCs), our research team conducted its own research\r\nand identified 40 recent variants of this threat, 16 droppers and 22 active Command and Control (C2) as well as\r\nadditional functionalities.\r\nOur analysis suggests that many of these samples remain undetected by the broader security community.\r\nQuick Features Recap\r\nThe 40 variants analyzed by our research team show identical capabilities to those shared by Cleafy, including:\r\nOTP interception \r\nScreen recording\r\nData exfiltration\r\nRemote control\r\nAutomatic permission granting and auto-click on prompts\r\nAccessibility service abuse\r\nOverlay display and credential theft\r\nThese capabilities enable the malware to effectively access any type of information stored on the device.\r\nMoreover, these capabilities can be combined to facilitate unauthorized access to bank accounts and financial\r\ntransactions, potentially resulting in significant financial losses for victims.\r\nhttps://www.zimperium.com/blog/expanding-the-investigation-deep-dive-into-latest-trickmo-samples/\r\nPage 1 of 9\n\nFig.1 deceptive overlays\r\nA New Dangerous Twist: Unlock Code Theft\r\nIn addition to the core capabilities mentioned above, we also discovered a new capability in some of the samples\r\nthat allows these variants to steal the device’s unlock pattern or PIN. This new addition enables the threat actor to\r\noperate on the device even while it is locked. To obtain the necessary unlock information, the malware presents a\r\ndeceptive User Interface (UI) that mimics the device’s actual unlock screen.\r\nhttps://www.zimperium.com/blog/expanding-the-investigation-deep-dive-into-latest-trickmo-samples/\r\nPage 2 of 9\n\nFig.2 fake unlocking UI\r\nThe deceptive User Interface is an HTML page hosted on an external website and is displayed in full-screen mode\r\non the device, making it look like a legitimate screen. When the user enters their unlock pattern or PIN, the page\r\ntransmits the captured PIN or pattern details, along with a unique device identifier (the Android ID) to a PHP\r\nscript. To obtain the Android ID, the WebView binds a method named “getAndroidID”. This method retrieves the\r\ncorresponding value from the device and appends it to the POST request after the PIN or pattern is acquired.This\r\nmechanism allows the Threat Actor (TA) to link the stolen credentials to the specific victim’s device.\r\nhttps://www.zimperium.com/blog/expanding-the-investigation-deep-dive-into-latest-trickmo-samples/\r\nPage 3 of 9\n\nFig.3 request sent to the C2 and JS code to get the AndroidID\r\nExposed C2 Server: Geolocating Victims\r\nDuring our analysis, we successfully gained access to several C2 servers. Within the directories of the C2 servers,\r\nwe discovered files with approximately 13,000 unique IP addresses belonging to the victims of this malware. After\r\nobtaining the list of IP addresses, we geolocate them to check the region targeted by this malware and its variants.\r\nOur analysis revealed that the primary targets of this malware were:\r\nCanada\r\nUnited Arab Emirates\r\nTurkey\r\nGermany\r\nhttps://www.zimperium.com/blog/expanding-the-investigation-deep-dive-into-latest-trickmo-samples/\r\nPage 4 of 9\n\nFig.4 Percentage of victims per targeted country\r\nFig.5 Targeted countries color-coded to represent the % of victims per region\r\nDespite the absence of data leakage issues observed in these newer C2 servers, our analysis revealed that the IP\r\nlist file is regularly updated whenever the malware successfully exfiltrates credentials. We discovered millions of\r\nrecords within these files, indicating the extensive number of compromised devices and the substantial amount of\r\nsensitive data accessed by the Threat Actor.\r\nhttps://www.zimperium.com/blog/expanding-the-investigation-deep-dive-into-latest-trickmo-samples/\r\nPage 5 of 9\n\nThese stolen credentials are not only limited to banking information but also encompass those used to access\r\ncorporate resources such as VPNs and internal websites. This underscores the critical importance of protecting\r\nmobile devices, as they can serve as a primary entry point for cyberattacks on organizations.\r\nThrough our analysis of exfiltrated data, we identified a diverse range of targeted applications spanning multiple\r\ncategories. This comprehensive analysis enabled us to compile a list of most targeted application types, which are\r\nsummarized in the following chart.\r\nZimperium vs. Trickmo\r\nGiven the malware’s advanced capabilities and extensive control over infected devices, to safeguard your users\r\nand devices from this malware and others similar, it is critical to deploy proactive, robust protection and\r\nmitigation measures to prevent data or financial loss.\r\nZimperium is uniquely equipped to support enterprises (MTD) and app developers (MAPS) in defending against\r\nthe constantly evolving threat landscape targeting mobile devices. Powered by our proprietary On-Device\r\nDynamic Detection Engine, both MTD and MAPS products leverage local, on-device advanced machine learning,\r\nbehavioral analysis and deterministic detection, to deliver comprehensive threat detection and mitigation without\r\ncompromising user experience or development timelines.\r\nOur cutting-edge detection engine has successfully identified and neutralized all malware samples and malicious\r\nURLs discussed in this blog post, underscoring its unmatched effectiveness in protecting against emerging cyber\r\nthreats.\r\nMITRE ATT\u0026CK Techniques\r\nTo help our customers and the industry understand the impact of this malware, Zimperium has compiled the\r\nfollowing table containing the MITRE Tactics and Techniques as reference. \r\nhttps://www.zimperium.com/blog/expanding-the-investigation-deep-dive-into-latest-trickmo-samples/\r\nPage 6 of 9\n\nTactic ID Name Description\r\nInitial Access T1660 Phishing\r\nAdversaries send malicious\r\ncontent to users in order to gain\r\naccess to their device.\r\nPersistence\r\nT1398\r\nBoot or Logon\r\nInitialization Scripts\r\nThe malware is executed at\r\nboot.\r\nT1624.001\r\nEvent Triggered Execution:\r\nBroadcast Receivers\r\nIt creates a broadcast receiver to\r\nreceive SMS events and\r\noutgoing calls.\r\nT1541 Foreground Persistence\r\nIt puts itself on foreground for\r\nabusing notifications.\r\nDefense\r\nEvasion\r\nT1407\r\nDownload New Code at\r\nRuntime\r\nIt can download and execute\r\nDEX dynamically.\r\nT1628.001\r\nHide Artifacts: Suppress\r\nApplication Icon\r\nIt hides the application icon.\r\nT1629.001\r\nImpair Defenses: Prevent\r\nApplication Removal\r\nIt prevents the user from\r\nuninstalling the app by showing\r\na prompt.\r\nT1630.002\r\nIndicator Removal on\r\nHost: File Deletion\r\nIt can delete all his traces.\r\nT1516 Input Injection\r\nIt abuses user accessibility APIs\r\nto grant permissions.\r\nT1655.001\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nIt is using the Google services\r\napp’s name and icon.\r\nT1406.002\r\nObfuscated Files or\r\nInformation: Software\r\nPacking\r\nIt is using obfuscation and\r\npackers (JSONPacker) to\r\nconceal its code.\r\nCredential\r\nAccess\r\nT1517 Access Notifications It has a notification listener.\r\nT1414 Clipboard Data\r\nIt extracts data stored on the\r\nclipboard.\r\nT1417.001 Input Capture: Keylogging It has a keylogger feature.\r\nhttps://www.zimperium.com/blog/expanding-the-investigation-deep-dive-into-latest-trickmo-samples/\r\nPage 7 of 9\n\nT1417.002\r\nInput Capture: GUI Input\r\nCapture\r\nIt is able to get the shown UI.\r\nT1635\r\nSteal Application Access\r\nToken\r\nIt steals OTPs.\r\nDiscovery\r\nT1420\r\nFile and Directory\r\nDiscovery\r\nIt enumerates all the videos and\r\npictures on the device.\r\nT1418 Software Discovery\r\nIt gets the list of installed\r\napplications.\r\nT1426\r\nSystem Information\r\nDiscovery\r\nIt gets info about the device as\r\nthe androidID.\r\nCollection\r\nT1517 Access Notifications\r\nIt registers a receiver to monitor\r\nincoming SMS messages.\r\nT1429 Audio Capture\r\nIt has the ability to steal audio\r\nfrom the device.\r\nT1414 Clipboard Data\r\nIt has the ability to steal data\r\nfrom the clipboard.\r\nT1533 Data from Local System\r\nIt searches for files of interest\r\nbefore the exfiltration.\r\nT1417.001 Input Capture: Keylogging It has a keylogger feature.\r\nT1417.002\r\nInput Capture: GUI Input\r\nCapture\r\nIt is able to get the shown UI.\r\nT1430 Location Tracking\r\nIt accesses the precise location\r\nof the device.\r\nT1636.002\r\nProtected User Data: Call\r\nLog\r\nIt exports the device’s call logs.\r\nT1636.003\r\nProtected User Data:\r\nContact List\r\nIt exports the device’s contacts.\r\nT1636.004\r\nProtected User Data: SMS\r\nMessages\r\nIt exfiltrates all the incoming\r\nOTP SMS messages.\r\nT1513 Screen Capture\r\nAbility to capture the device\r\nscreen.\r\nCommand\r\nT1637 Dynamic Resolution It receives the injected HTML\r\npayload endpoint dynamically\r\nhttps://www.zimperium.com/blog/expanding-the-investigation-deep-dive-into-latest-trickmo-samples/\r\nPage 8 of 9\n\nand Control from the server.\r\nT1481.002\r\nWeb Service: Bidirectional\r\nCommunication\r\nIt uses websocket\r\ncommunication to poll the TA’s\r\nserver and get the commands to\r\nexecute.\r\nExfiltration T1639.001\r\nExfiltration Over\r\nAlternative Protocol:\r\nExfiltration Over\r\nUnencrypted Non-C2\r\nProtocol\r\nThe stolen credentials are sent\r\nto a different C2.\r\nImpact T1516 Input Injection\r\nIt displays inject payloads like\r\npattern lock and mimics\r\nbanking apps login screen\r\nthrough overlay and steal\r\ncredentials.\r\n  T1582 SMS Control It can read and send SMS.\r\nIndicators of Compromise (IOCs)\r\nThe IOCs of this campaign can be found here.\r\nSource: https://www.zimperium.com/blog/expanding-the-investigation-deep-dive-into-latest-trickmo-samples/\r\nhttps://www.zimperium.com/blog/expanding-the-investigation-deep-dive-into-latest-trickmo-samples/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zimperium.com/blog/expanding-the-investigation-deep-dive-into-latest-trickmo-samples/"
	],
	"report_names": [
		"expanding-the-investigation-deep-dive-into-latest-trickmo-samples"
	],
	"threat_actors": [],
	"ts_created_at": 1775434441,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/67fb117c3b938893f2ddcb51df69462551d956fb.pdf",
		"text": "https://archive.orkl.eu/67fb117c3b938893f2ddcb51df69462551d956fb.txt",
		"img": "https://archive.orkl.eu/67fb117c3b938893f2ddcb51df69462551d956fb.jpg"
	}
}