During a recent incident response engagement for a mid-sized financial services firm in Mumbai, I identified an anomalous outbound connection originating from a high-privilege employee's Android device. The device was communicating with a known command-and-control (C2) server via port 1080, but the traffic wasn't standard web traffic; it was a SOCKS5 handshake. This wasn't a simple case of data exfiltration. The device had been transformed into a network pivot point, allowing external attackers to bypass the corporate perimeter and scan the internal VLAN for Tally accounting servers and UPI-linked gateways.
What is the TrickMo Android Trojan?
TrickMo is an advanced Android banking trojan that has evolved significantly since its discovery in 2020. While it initially focused on intercepting one-time passwords (OTPs) via SMS, the latest iterations we analyzed in 2024 have shifted toward full remote access capabilities. The malware utilizes a combination of screen recording, keylogging, and SOCKS5 proxying to give attackers real-time control over the compromised hardware.
In the Indian context, TrickMo's ability to intercept SMS is particularly devastating. Since most Indian banking apps and UPI platforms rely heavily on SMS-based 2FA, a TrickMo infection effectively renders these security measures useless. We observed the malware silently dismissing SMS notifications after scraping the OTP, leaving the victim unaware that a transaction was even initiated.
The Evolution of TrickMo: From Credential Stealer to Remote Access Tool
The transition from a simple "stealer" to a "pivot" tool marks a sophisticated shift in mobile threat actor tactics. Early versions of TrickMo were designed to show overlay screens—fake login pages that appear over legitimate banking apps. Modern variants now include a SOCKS5 relay module, often utilizing the libproxy.so library or custom-built Go-based binaries. While attackers exploit these pivots, organizations can secure their own infrastructure using a browser based SSH client to ensure all remote sessions are audited and encrypted.
This remote access functionality allows the attacker to use the victim's IP address to perform fraudulent activities. From the bank's perspective, the transaction appears to originate from the customer's trusted device and legitimate geographic location, bypassing many fraud detection algorithms that flag non-resident IP addresses.
Why TrickMo Detection is Critical for Mobile Banking Security
For organizations operating under the Digital Personal Data Protection (DPDP) Act 2023, a TrickMo infection is not just a security incident; it is a compliance nightmare. The malware's ability to scrape personal data and pivot into corporate networks means a single infected personal device used for work (BYOD) can lead to a massive data breach.
Detection is critical because TrickMo often bypasses standard signature-based antivirus, frequently exploiting vulnerabilities listed in the OWASP Top 10. It frequently uses packers and obfuscation techniques to hide its intent. We have seen samples where the malicious payload is downloaded as a secondary stage after the initial dropper has already secured Accessibility Service permissions.
Common Distribution Methods: Phishing and Malicious APKs
TrickMo is rarely found on the Google Play Store. Instead, it relies on social engineering. In India, we frequently see "Smishing" (SMS Phishing) campaigns where users receive messages claiming their electricity bill is overdue or their KYC needs immediate updating. These messages contain links to "official" looking websites that host the malicious APK.
Another common vector is the "Chrome Update" or "System Update" lure. The site detects the user's mobile browser and prompts them to download an .apk file to "fix a security vulnerability." Once the user manually allows the installation from unknown sources, the infection chain begins.
Exploiting Android Accessibility Services
The cornerstone of TrickMo’s persistence is the abuse of Android’s Accessibility Services. This feature is intended to help users with disabilities by allowing apps to read screen content and perform gestures. TrickMo tricks users into enabling this service through persistent pop-ups.
Once granted, the malware uses these permissions to:
- Automatically grant itself "Device Administrator" privileges.
- Disable Google Play Protect.
- Read OTPs from SMS and messaging apps like WhatsApp.
- Click "Allow" on permission prompts without user intervention.
- Prevent the user from uninstalling the app by automatically closing the "Settings" or "App Info" page.
The Role of Screen Recording and Keylogging in Data Theft
Unlike simpler trojans that just steal files, TrickMo uses the MediaProjection API to record the screen in real-time. This is particularly effective against apps that use custom keyboards to prevent standard keylogging. By capturing the screen, the attacker sees exactly what the user sees, including balances, account numbers, and patterns.
The keylogging module monitors all text input fields. We observed the malware specifically targeting com.android.settings and banking application packages. It logs every keystroke and periodically exfiltrates the data to the C2 server in small, encrypted JSON blobs to avoid detection by network monitoring tools.
Unusual Battery Drain and Device Overheating
Because TrickMo maintains a constant connection to a C2 server and frequently records the screen or runs a SOCKS5 proxy, the device's CPU usage remains high. Users often report that their phones feel warm even when not in use. If you are investigating a potentially compromised device, start by checking the battery consumption logs for apps with high "Background" usage.
Unexpected Requests for Administrative Permissions
A major red flag is an app that repeatedly asks for Accessibility or Device Admin permissions. TrickMo is persistent; if a user denies the request, it will immediately re-prompt. In some cases, it uses a "transparent overlay" where the user thinks they are clicking "OK" on a system message, but they are actually clicking "Allow" on a hidden permission screen.
Persistent Overlay Screens on Banking Apps
If a user opens a banking app and sees a login screen that looks slightly "off"—perhaps the fonts are different or the alignment is skewed—it is likely an overlay. TrickMo monitors the foreground task using UsageStatsManager or Accessibility events. When it detects a target banking app, it launches its own activity on top.
Slow Device Performance and Frequent Crashes
The resource-intensive nature of SOCKS5 tunneling and screen scraping often leads to system instability. We have observed "System UI has stopped" errors on infected devices because the malware interferes with the drawing of windows and inputs.
Using Mobile Security Software for Automated Scanning
While signature-based detection is limited, behavioral analysis tools can identify TrickMo. Look for security solutions that monitor for "Accessibility Service Abuse." These tools flag apps that request sensitive permissions while having no legitimate reason to do so (e.g., a "Flashlight" app asking for SMS and Accessibility).
Manual Inspection: Identifying Suspicious Apps in Settings
To manually identify the malware, we use the Android Debug Bridge (ADB). Attackers often give the malicious APK a name like "Google Chrome Update," "Google Play Services," or "System Settings." You can list all third-party packages and their granted permissions using the following commands:
List all third-party packages
adb shell pm list packages -3
Check for apps with Accessibility Service enabled
adb shell dumpsys accessibility | grep "enabled services"
Identify apps with Device Administrator privileges
adb shell dumpsys device_policy | grep "admin="
Monitoring Network Traffic for Command-and-Control (C2) Communication
Network-level detection is the most reliable way to spot a TrickMo pivot, similar to detecting SnappyClient C2 traffic. If the device is connected to the corporate Wi-Fi, we look for SOCKS5 signatures. SOCKS5 traffic typically starts with a 0x05 byte. We can use tcpdump on the network gateway or via ADB if the device is rooted (rare in corporate environments, but possible in a lab).
Capture SOCKS5 handshake on common ports
tcpdump -i any 'tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x05 and (tcp port 1080 or tcp port 8080)' -vv
In Indian office environments, where CGNAT is common on mobile networks, internal IP tracking is difficult. We recommend correlating DHCP logs with MAC addresses to identify the specific physical device.
Checking for Unauthorized Accessibility Service Activations
You can programmatically check for suspicious services by looking at the enabled_accessibility_services setting. If you see a package name that doesn't match a known assistive tool (like TalkBack), it's a high-confidence indicator of compromise (IoC).
adb shell settings get secure enabled_accessibility_services
Booting into Safe Mode to Isolate Malicious Processes
If the malware is actively preventing you from navigating the settings menu, you must boot the device into Safe Mode. This prevents third-party apps from starting automatically.
- Hold the Power button until the "Power off" prompt appears.
- Long-press the "Power off" icon on the screen until "Reboot to safe mode" appears.
- Tap "OK."
Revoking Device Administrator and Accessibility Privileges
Once in Safe Mode, the malware's defense mechanisms are inactive. Navigate to:
- Settings > Security > Device Admin Apps (Disable the malicious app).
- Settings > Accessibility > Installed Services (Turn off the malicious service).
Uninstalling the Malicious Application
After revoking privileges, the "Uninstall" button should no longer be greyed out. Use the standard app manager or ADB to remove the package:
Replace with the identified malicious ID
adb uninstall
Performing a Factory Reset: When and How to Do It
For a high-risk infection like TrickMo, a factory reset is the only way to ensure complete remediation. The malware may have dropped secondary payloads in the /data/ partition that are not easily visible. In India, under DPDP Act requirements, any device used for corporate data that was infected with a RAT should be wiped and re-imaged to maintain a clean chain of custody.
Securing Compromised Banking and Social Media Accounts
Immediately after identifying the infection, the victim must change all passwords from a different, clean device. TrickMo likely captured the credentials for every app the user opened during the infection period.
Enabling Multi-Factor Authentication (MFA) Beyond SMS
SMS-based MFA is the primary target of TrickMo. We strongly advise moving to TOTP-based authenticators (Google Authenticator, Microsoft Authenticator) or hardware security keys (YubiKey). Since TrickMo can record the screen, even TOTP codes are at risk, a technique often seen in MFA proxy bypass attacks, but they are significantly harder to automate than SMS scraping.
Reviewing Financial Statements for Unauthorized Transactions
Check for small "test" transactions. Attackers often perform a ₹1 or ₹10 transaction to verify the account's validity before attempting a larger transfer via UPI or IMPS.
The Importance of Disabling 'Install from Unknown Sources'
This is the first line of defense. Ensure that "Install unknown apps" is disabled for all browsers and messaging apps. In a corporate environment, this should be enforced via an MDM (Mobile Device Management) policy.
Keeping Android OS and Security Patches Up-to-Date
TrickMo often exploits known vulnerabilities to escalate privileges. Two critical CVEs associated with advanced Android malware lateral movement (available on the NIST NVD) are:
- CVE-2024-32896: An Android OS privilege escalation vulnerability that allows malware to bypass sandbox restrictions.
- CVE-2023-40088: A System RCE vulnerability that allows for code execution without user interaction.
Leveraging Google Play Protect and Reputable Antivirus Tools
Ensure Google Play Protect is active. TrickMo will try to disable it, so its status should be monitored. For enterprises, use an MTD (Mobile Threat Defense) solution that integrates with your SIEM.
SIEM Configuration for Detecting SOCKS5 Pivoting
To detect TrickMo pivoting in your network, you can use the following Sigma rule logic for your SIEM (Splunk, ELK, or Microsoft Sentinel). This rule looks for SOCKS5 connections originating from the mobile VLAN and moving toward internal server zones.
title: Android SOCKS5 Pivot Detection (TrickMo) status: experimental description: Detects SOCKS5 proxy patterns from mobile devices to internal infrastructure. logsource: product: zeek service: conn detection: selection_socks: dest_port: - 1080 - 8080 - 9050 history: 'ShAdDfF' # SOCKS5 handshake pattern in Zeek history selection_internal_pivot: id.orig_h: '192.168.0.0/16' # Mobile VLAN/Subnet id.resp_h: '10.0.0.0/8' # Internal Server Zone condition: selection_socks and selection_internal_pivot fields: - id.orig_h - id.resp_h - duration - orig_bytes falsepositives: - Authorized mobile VPN clients level: high
Forensic Analysis of Network Sockets
If you have ADB access to a suspect device, you can verify active SOCKS5 listeners using netstat. Look for apps listening on all interfaces (0.0.0.0) rather than just the loopback (127.0.0.1).
Check for suspicious listening ports
adb shell "netstat -antp | grep -E 'LISTEN|ESTABLISHED'" | grep -v '127.0.0.1'
If you see a process listening on port 1080 or a random high port with a state of LISTEN, correlate the PID with the package name:
Find the package name for a specific PID
adb shell ps -p
This level of granular visibility is essential for distinguishing between a legitimate background sync and a TrickMo SOCKS5 relay. In our testing, TrickMo often masks its process name to appear as com.android.settings or com.google.android.gms to evade casual inspection in the process list.
Next, we will look at automating the extraction of the C2 configuration from the malware's encrypted shared preferences file using a custom Python script.