S0427: TrickMo
Analyst context for executives and security teams
TrickMo matters because it represents mobile malware aimed at weakening transaction security, specifically by stealing transaction authorization numbers used as one-time passwords. For leaders, the practical issue is not only “malware on Android,” but whether mobile banking, workforce mobile access, SMS-based verification, and incident response processes can withstand a compromised user device that can observe screens, interact with the UI, access SMS content, discover installed apps, and communicate over web or out-of-band channels.
Executive priority
Treat this as a mobile identity and fraud-resilience concern. Organizations that rely on Android devices, SMS/TAN-style approvals, or mobile workflows should ask whether mobile device posture, app permission governance, banking/fraud monitoring, and user support escalation can identify and contain a compromised device before unauthorized transactions or credential misuse occur. Because ATT&CK provides no official detection text for this object, coverage should be proven with local telemetry and response testing rather than assumed from endpoint or network tooling.
Technical view
ATT&CK lists TrickMo for Android and relates it to behaviors including obfuscated files or information, software discovery, system/network/Wi-Fi/internet discovery, system information discovery, web-protocol communications, screen capture, input injection through Android accessibility-style abuse, local data collection, SMS control and SMS message access, broadcast receivers for event-driven execution, device lockout, malicious app uninstallation, system checks, and out-of-band data. SOC, detection, and IR teams should validate whether they can observe risky Android permissions and role changes, accessibility service abuse, SMS access/control, screen capture consent or MediaProjection-related use, unusual broadcast receiver registrations, device administrator or lockout behavior, suspicious app inventory/network discovery, and web/SMS-based communications from managed devices.
Likely telemetry
- Android mobile device management or enterprise mobility management inventory and compliance state
- Installed application inventory, package metadata, signing/source information, and app reputation where available
- Android permission grants and changes, especially SMS, accessibility, screen capture/media projection, device administrator, notification, and network-related access
- Accessibility service enablement and unusual UI automation or input-injection indicators
- SMS provider access, default SMS handler changes, SMS send/receive/delete activity, and related user complaints
Detection direction
- Start by mapping ATT&CK-related behaviors to actual Android telemetry sources; the official object does not provide detection guidance.
- Prioritize detections around combinations of sensitive behaviors rather than single permissions: SMS access plus accessibility abuse, screen capture plus banking-app presence discovery, or device administrator changes plus lockout behavior.
- Tune for legitimate administrative and accessibility use cases to reduce false positives, especially enterprise support tools, accessibility apps, messaging apps, and MDM agents.
- Validate whether network monitoring can see mobile web-protocol communications without overclaiming visibility into encrypted HTTPS content.
- Include anti-analysis and obfuscation expectations in malware triage; static-only review may miss behavior if system checks alter execution.
Mitigation priorities
- Reduce reliance on SMS/TAN-style verification where stronger phishing- and device-compromise-resistant approval methods are available.
- Enforce managed Android device baselines for enterprise use, including approved app sources, app inventory review, restricted high-risk permissions, and rapid removal/quarantine workflows.
- Limit and monitor accessibility service, SMS handler, device administrator, notification, and screen capture privileges for non-business-critical apps.
- Educate users and help desks to escalate unexpected banking prompts, accessibility permission requests, device lockouts, SMS anomalies, or apps that resist removal.
- Prepare mobile IR playbooks that cover device isolation, evidence preservation, credential/session revocation, banking or fraud escalation, and replacement/re-enrollment decisions.
Analyst notes and limits
The supplied ATT&CK object identifies TrickMo as an Android mobile banking trojan designed to steal TANs and notes it was most likely distributed by TrickBot and primarily targeted users in Germany, based on the cited SecurityIntelligence reference. The strongest defensive value comes from the related mobile techniques: SMS access/control, screen capture, input injection, discovery, persistence through broadcast receivers, obfuscation, web-protocol communications, and device lockout/uninstall behavior.
ATT&CK provides no official detection text, no aliases, no listed tactics in the supplied fields, and only Android as the supported platform for this malware object. This take does not assert current activity, customer exposure, attribution beyond the supplied 'most likely' distribution statement, or guaranteed detection. Local mobile telemetry, device management architecture, banking/identity workflows, and incident evidence are required to determine actual risk and coverage.
TrickMo
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | TrickMo registers for the `SCREEN_ON` and `SMS_DELIVER` intents to perform actions when the device is unlocked and when the device receives an SMS message.CitationSecurityIntelligence TrickMo |
| Mobile | T1422.001 | Internet Connection Discovery Sub-technique | TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.CitationSecurityIntelligence TrickMo |
| Mobile | T1422 | System Network Configuration Discovery | TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.CitationSecurityIntelligence TrickMo |
| Mobile | T1629.002 | Device Lockout Sub-technique | TrickMo can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.CitationSecurityIntelligence TrickMo |
| Mobile | T1437.001 | Web Protocols Sub-technique | TrickMo communicates with the C2 by sending JSON objects over unencrypted HTTP requests.CitationSecurityIntelligence TrickMo |
| Mobile | T1422.002 | Wi-Fi Discovery Sub-technique | TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.CitationSecurityIntelligence TrickMo |
| Mobile | T1636.004 | SMS Messages Sub-technique | TrickMo can intercept SMS messages.CitationSecurityIntelligence TrickMo |
| Mobile | T1418 | Software Discovery | TrickMo can collect a list of installed applications.CitationSecurityIntelligence TrickMo |
| Mobile | T1630.001 | Uninstall Malicious Application Sub-technique | TrickMo can uninstall itself from a device on command by abusing the accessibility service.CitationSecurityIntelligence TrickMo |
| Mobile | T1516 | Input Injection | TrickMo can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.CitationSecurityIntelligence TrickMo |
| Mobile | T1644 | Out of Band Data | TrickMo can be controlled via encrypted SMS message.CitationSecurityIntelligence TrickMo |
| Mobile | T1426 | System Information Discovery | TrickMo can collect device information such as network operator, model, brand, and OS version.CitationSecurityIntelligence TrickMo |
| Mobile | T1513 | Screen Capture | TrickMo can use the `MediaRecorder` class to record the screen when the targeted application is presented to the user, and can abuse accessibility features to record targeted applications to intercept transaction authorization numbers (TANs) and to scrape on-screen text.CitationSecurityIntelligence TrickMo |
| Mobile | T1582 | SMS Control | TrickMo can delete SMS messages.CitationSecurityIntelligence TrickMo |
| Mobile | T1533 | Data from Local System | TrickMo can steal pictures from the device.CitationSecurityIntelligence TrickMo |
| Mobile | T1633.001 | System Checks Sub-technique | TrickMo can detect if it is running on a rooted device or an emulator.CitationSecurityIntelligence TrickMo |
| Mobile | T1406 | Obfuscated Files or Information | TrickMo contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java’s `PBEWithMD5AndDES` algorithm.CitationSecurityIntelligence TrickMo |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | d8d3382bf9f3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SecurityIntelligence TrickMo
P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.
Open source URL -
[2]
mitre-attack S0427Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.