This Android banking trojan uses a fake lock screen to steal your PIN and your cash — how to stay safe

banking trojan on phone illustration
(Image credit: Shutterstock)

Just like with apps you use on your phone, mobile malware is always improving. Case in point, forty new variants of the TrickMo banking trojan have been spotted in the wild and some can even steal the PIN or unlock pattern from your Android phone.

As reported by BleepingComputer, the cybersecurity firm Zimperium has identified dozens of new TrickMo variants that are linked to 16 malware droppers and use 22 different command and control (C&C) infrastructures to steal your data and your hard-earned cash.

First discovered by IBM’s X-Force cybersecurity division back in 2020 though it’s likely been used to target the best Android phones since 2019, TrickMo has now been upgraded with new capabilities that make it even more dangerous. These include one-time password (OTP) interception, screen recording, data exfiltration, automatic permission granting, the ability to launch overlay attacks and more.

What’s particularly concerning about these new TrickMo variants though is their ability to steal an Android phone’s PIN or unlock pattern. With this info in hand, hackers can wait until a device is idle — like when you’re sleeping — to perform on-device fraud.

Here’s everything you need to know about the TrickMo banking trojan along with some tips on how you can keep your Android phone and other devices safe from malware.

Harvesting PINs and unlock patterns

Android lock screen vulnerability

(Image credit: Shutterstock)

As TrickMo is a banking trojan after all, it uses fake login screens — like the ones used in overlay attacks — to harvest usernames and passwords from unsuspecting Android users. You might think you’re logging into a banking app when really, you’re giving your credentials to hackers.

One of the ways in which TrickMo accomplishes this is by abusing Android’s Accessibility services to grant itself access to additional permissions. However, it also has the ability to tap on prompts automatically when they pop up on your phone.

In its report on the matter, Zimperium explains that these upgraded versions of TrickMo can mimic the unlock prompts you see on your Android phone when you turn on its screen. These are actually HTML pages hosted on an external website which are displayed in full-screen mode on an infected device. This makes them look legitimate and as we haven’t seen this type of attack in the past, you could see how someone could easily fall for it.

Once a PIN or unlock pattern is harvested by the hackers using TrickMo in their attacks, this info along with a unique device identifier is written as a PHP script that gets sent back to them. From there, they can unlock your phone remotely whenever they want and perform additional attacks or on-device fraud.

As it stands now, Zimperium has identified TrickMo victims in Canada, the United Arab Emirates, Turkey and Germany. However, a sophisticated banking trojan like this could easily be reconfigured to target Android users in the U.S., the U.K. and in other countries around the world.

How to stay safe from Android malware

A hand holding a phone securely logging in

(Image credit: Google)

These new TrickMo variants are currently being spread through phishing attacks. As such, you want to be careful when checking your email, messages or downloading new apps from unofficial sources.

For instance, if you get an email from an unknown sender, you want to avoid clicking on any links or downloading any attachments it may contain. The same goes for text messages and messages on social media.

Fortunately, Google Play Protect — which comes pre-installed on most Android phones — is able to identify and block known variants of TrickMo. To stay safe, you want to make sure that this free security app is enabled and running on your Android phone. However, for additional protection, you may also want to consider running one of the best Android antivirus apps alongside it.

Hackers are constantly looking for unique and clever new ways to gain access to our smartphones given how much personal and financial information they contain. For this reason, you want to be extra careful online and use a discerning eye when checking your email, messages or downloading new apps.

More from Tom's Guide

Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.