Trick ‘Em - Part 3

Peter stood at the front of the briefing room, marker in hand, outlining the complexities of TrickMo’s latest resurgence. His team of analysts, some of the brightest minds in malware research, listened intently as Peter connected the dots between recent breaches and what they suspected was an evolved form of the notorious banking trojan.

TrickMo had first emerged years ago as a secondary malware tied to the notorious TrickBot gang. While TrickBot had operated on a global scale, infiltrating financial systems and harvesting credentials, TrickMo had quietly carved its niche by targeting mobile devices directly.

Now, its resurgence brought new layers of sophistication and new levels of danger. The sample on Peter’s monitor was evidence of its evolution, its capabilities refined and adapted to bypass even the most advanced security defenses.

“This isn’t the TrickMo we saw in 2021,” Peter said to the team gathered around him in the dimly lit lab. “The old version was deadly enough, but this… this is a precision-guided weapon.”

“The real innovation is in how they’re hiding the malware’s core functionality.”

Peter leaned forward. “You’re talking about JSONPacker?”

Maria nodded. “It compresses the payload into a JSON object and keeps it dormant until the right conditions are met. Static analysis tools can’t see it, and even if you unpack it, the code is modular, designed to adapt dynamically based on the target.”

“That tracks,” Peter replied. “TrickMo was designed to evade detection from the start. Even in its earlier versions, it leveraged clever obfuscation techniques to slip past anti-malware tools. This is just the next step in its evolution.”

JSONPacker isn’t just a packing tool, it’s a master of disguise. By compressing the malicious payload into an encrypted JSON object, it hides critical malware components from detection. The code stays dormant until triggered, ensuring it evades initial scans and activates only when the victim launches a targeted app. 

Maria continued, “Another interesting thing is the use of malformed ZIP files in the APK. They’ve embedded corruption into the file structure to bypass installation integrity checks. It’s like they’re designing it to target weak spots in Android’s defenses.”

“And sandboxing?” Peter asked.

Michael, another analyst, chimed in. “It’s advanced. The malware detects virtual environments. It stays dormant when it senses it’s being analyzed, even throwing out junk traffic to confuse automated tools.”

Peter sighed. “That’s classic TrickMo, too. Back in its earlier campaigns, it used timing delays and false data to trip up malware researchers. Now it’s refining those techniques for corporate-scale attacks. Oh wow!”

“Once the APK executes on a real device,” Maria said, “it immediately enables Android’s accessibility services.”

“What’s the sequence?” Peter asked.

“It starts by intercepting screen activity,” Michael replied. “Then it automates input commands, approving transactions, dismissing security prompts, even changing permissions without user input. It essentially takes over the device.”

“That’s what made TrickMo infamous,” Peter said, his tone grim. “It’s not just stealing data - it’s performing fraud in real-time. OTP interception, automated approvals, and invisible control of banking apps. The victim never even realizes it’s happening until it’s too late.”

“And then there’s the exfiltration,” Maria added. “The data’s being sent to an IPFS node. Once it’s uploaded to the InterPlanetary File System, it’s replicated across a decentralized network. There’s no central server to shut down. Whatever they steal; emails, photos, transaction records, becomes almost impossible to retrieve.”

Peter turned to the whiteboard, where a timeline of TrickMo’s history stretched across the wall.

“TrickMo started as a mobile companion to TrickBot,” he explained to the team. “Back then, its primary role was to intercept and abuse SMS-based OTPs. That alone made it devastating. But after TrickBot itself was disrupted by global law enforcement in 2021, TrickMo didn’t disappear, it adapted.”

He pointed to the next marker on the timeline. “2022. TrickMo started leveraging accessibility services, giving it full control over Android devices. It bypassed even biometrics by automating approvals directly on the user’s screen. It shifted from being just an SMS interceptor to a fully-fledged fraud toolkit.”

Maria frowned. “And now it’s back with a vengeance. The focus isn’t just on individual accounts anymore, it’s targeting corporate systems and payroll platforms.”

“Exactly,” Peter said. “This isn’t just about stealing money. And the operators behind it know exactly what they’re doing.”

The room fell silent as Peter pieced it together.

“Did we find any clues in the Command and Control (C2) communication logs?” he finally asked.

Maria hesitated. “We traced some traffic to a cluster of servers in Eastern Europe. But it’s difficult to pinpoint the operators. The IPs are routed through botnets and fast-flux DNS, constantly rotating to obscure their origin.”

Peter studied the network diagram glowing on the screen. Fast-flux DNS nodes blinked on and off like fireflies, mapping out TrickMo’s command-and-control infrastructure. Maria’s analysis had been spot-on: every time one server went down, another popped up in its place.

“This isn’t just malware,” Peter muttered. “It’s a distributed system. They’ve designed it to survive any direct takedown.”

Maria turned from her monitor. “And it’s evolving. JSONPacker is letting them deploy modular payloads that adapt to different environments. Sandboxing, static analysis, none of it is enough to catch this thing in time.”

Peter nodded, but his mind was elsewhere. Reports from multiple banks had flagged accessibility abuse as a key mechanism, but Peter knew there was more to the story. The malware wasn’t just targeting individual users, it was creating an entire ecosystem of infected devices.

His phone buzzed on the desk. The caller ID read Zara Ali.

“Hold that thought, Maria,” he said, grabbing the phone. Zara rarely called without a reason, and never more than once. This was her third attempt since the briefing started.

“Peter,” Zara said, her voice cutting through before he could speak, “they’re hitting our customers badly. We need help. I think TrickMo is back!”

Peter’s heart sank. Her urgency matched the exact conclusion his team had just reached. TrickMo wasn’t just back, it was far more dangerous than they’d anticipated.

If you missed Part 1 and Part 2, please catch up.

Do you understand the evasive techniques being used by TrickMo? Tell us about the tactic(s) you found most fascinating? Do you think Zara can urgently do something to educate her customers and what should that look like? What would you do differently if you were Peter? Share your thoughts in the comment section.

Comment | Share | Repost

© 2025-2090 ByPassed. All rights reserved. You may share or link to content from ByPassed, but please provide proper attribution and do not modify the original content without permission.

#cybersecurity #Bypassed #truecrime