Found the return of TrickMo money-sucking malware

The return of TrickMo money-sucking malware has been found aimed at banking apps, crypto apps, and authentication apps.

According to a report by the website, Cyber Security News mentioned the detection of the return of the Banking Trojan type malware named TrickMo, which had already been plagued during the year 2025 (d. But this time it has returned to a new version with greater capabilities, stealth in the system, and harder to stop than ever. This latest version of the malware was detected between January and February by a research team from ThreatFabric, an expert firm that protects bank customers from online fraud. The research team found that the spread of the malware was done through fake ads on Facebook social media, claiming that it was an advertisement for the Tikis application, but in fact downloaded as a Loader malware, which leads to the implantation of TrickMo malware on the victim's machine again. The hackers were found to have focused their attacks on a group of mobile phone users on the Android operating system living in France, Austria and Italy.

For TrickMo malware, in addition to being a Banking Trojan, it is also categorized as a device Takeover Malware. The malware has perfect control over the interactive control system through the exploitation of the Accessibility Mode. After the malware enters the machine and uses the mode, it will start to attack in various ways, such as

Use Overlay Attack to overlay a fake login on a bank application to steal the access code. The malware stores Keystroke and sends it back to C2 or Command and Control.

SMS or Short Message Service, including Notification, which focuses on stealing important information such as OTP or One-Time Passwords. Malware can also mute and vibrate so that users do not realize it.

In addition to data theft, the malware has an implementation of a Module called dex.module, which is used to shoot the core of the Remote-Control Engine Core into the processes of the Android operating system, making the malware invisible and difficult to detect.

One of the most improved versions would not escape the C2 server interface system. The original version used the infrastructure on the common Internet, so that it could be closed or suppressed easily. The development team raised it to a machine-to-machine contact, or Peer-to-Peer, through the network of The Open Network, also known as TON. In this system, instead of contacting through the domain (Domain) of the website, it returned to the Endpoint where the address ended up .adnl through the network. Such addresses do not appear on the Internet as usual, making them more difficult to block and suppress.

In addition, the malware, instead of using the DNS resolver on the machine as usual, uses DNS-over-HTTPS to hide malware-related domains from the monitoring system on the victim's system, and can camouflage other data traffic that use the TON network until it is even more difficult to detect.

# Trending # Drug sign with lemon8 # lemon 8 diary # trickmo # freedomhack