Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0427: TrickMo

TrickMo a 2FA bypass mobile banking trojan, most likely being distributed by TrickBot. TrickMo has been primarily targeting users located in Germany.[1]

TrickMo is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.[1]

MobileS0427MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

TrickMo matters because it represents mobile malware aimed at weakening transaction security, specifically by stealing transaction authorization numbers used as one-time passwords. For leaders, the practical issue is not only “malware on Android,” but whether mobile banking, workforce mobile access, SMS-based verification, and incident response processes can withstand a compromised user device that can observe screens, interact with the UI, access SMS content, discover installed apps, and communicate over web or out-of-band channels.

Executive priority

Treat this as a mobile identity and fraud-resilience concern. Organizations that rely on Android devices, SMS/TAN-style approvals, or mobile workflows should ask whether mobile device posture, app permission governance, banking/fraud monitoring, and user support escalation can identify and contain a compromised device before unauthorized transactions or credential misuse occur. Because ATT&CK provides no official detection text for this object, coverage should be proven with local telemetry and response testing rather than assumed from endpoint or network tooling.

Technical view

ATT&CK lists TrickMo for Android and relates it to behaviors including obfuscated files or information, software discovery, system/network/Wi-Fi/internet discovery, system information discovery, web-protocol communications, screen capture, input injection through Android accessibility-style abuse, local data collection, SMS control and SMS message access, broadcast receivers for event-driven execution, device lockout, malicious app uninstallation, system checks, and out-of-band data. SOC, detection, and IR teams should validate whether they can observe risky Android permissions and role changes, accessibility service abuse, SMS access/control, screen capture consent or MediaProjection-related use, unusual broadcast receiver registrations, device administrator or lockout behavior, suspicious app inventory/network discovery, and web/SMS-based communications from managed devices.

Likely telemetry

  • Android mobile device management or enterprise mobility management inventory and compliance state
  • Installed application inventory, package metadata, signing/source information, and app reputation where available
  • Android permission grants and changes, especially SMS, accessibility, screen capture/media projection, device administrator, notification, and network-related access
  • Accessibility service enablement and unusual UI automation or input-injection indicators
  • SMS provider access, default SMS handler changes, SMS send/receive/delete activity, and related user complaints

Detection direction

  • Start by mapping ATT&CK-related behaviors to actual Android telemetry sources; the official object does not provide detection guidance.
  • Prioritize detections around combinations of sensitive behaviors rather than single permissions: SMS access plus accessibility abuse, screen capture plus banking-app presence discovery, or device administrator changes plus lockout behavior.
  • Tune for legitimate administrative and accessibility use cases to reduce false positives, especially enterprise support tools, accessibility apps, messaging apps, and MDM agents.
  • Validate whether network monitoring can see mobile web-protocol communications without overclaiming visibility into encrypted HTTPS content.
  • Include anti-analysis and obfuscation expectations in malware triage; static-only review may miss behavior if system checks alter execution.

Mitigation priorities

  • Reduce reliance on SMS/TAN-style verification where stronger phishing- and device-compromise-resistant approval methods are available.
  • Enforce managed Android device baselines for enterprise use, including approved app sources, app inventory review, restricted high-risk permissions, and rapid removal/quarantine workflows.
  • Limit and monitor accessibility service, SMS handler, device administrator, notification, and screen capture privileges for non-business-critical apps.
  • Educate users and help desks to escalate unexpected banking prompts, accessibility permission requests, device lockouts, SMS anomalies, or apps that resist removal.
  • Prepare mobile IR playbooks that cover device isolation, evidence preservation, credential/session revocation, banking or fraud escalation, and replacement/re-enrollment decisions.
Analyst notes and limits

The supplied ATT&CK object identifies TrickMo as an Android mobile banking trojan designed to steal TANs and notes it was most likely distributed by TrickBot and primarily targeted users in Germany, based on the cited SecurityIntelligence reference. The strongest defensive value comes from the related mobile techniques: SMS access/control, screen capture, input injection, discovery, persistence through broadcast receivers, obfuscation, web-protocol communications, and device lockout/uninstall behavior.

ATT&CK provides no official detection text, no aliases, no listed tactics in the supplied fields, and only Android as the supported platform for this malware object. This take does not assert current activity, customer exposure, attribution beyond the supplied 'most likely' distribution statement, or guaranteed detection. Local mobile telemetry, device management architecture, banking/identity workflows, and incident evidence are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

TrickMo

TrickMo a 2FA bypass mobile banking trojan, most likely being distributed by TrickBot. TrickMo has been primarily targeting users located in Germany.[1]

TrickMo is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

17 rows
Domain ID Name Relationship / procedure
Mobile T1624.001 Broadcast Receivers Sub-technique

TrickMo registers for the `SCREEN_ON` and `SMS_DELIVER` intents to perform actions when the device is unlocked and when the device receives an SMS message.[1]
Mobile T1422.001 Internet Connection Discovery Sub-technique

TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.[1]
Mobile T1422 System Network Configuration Discovery

TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.[1]
Mobile T1629.002 Device Lockout Sub-technique

TrickMo can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.[1]
Mobile T1437.001 Web Protocols Sub-technique

TrickMo communicates with the C2 by sending JSON objects over unencrypted HTTP requests.[1]
Mobile T1422.002 Wi-Fi Discovery Sub-technique

TrickMo can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.[1]
Mobile T1636.004 SMS Messages Sub-technique

TrickMo can intercept SMS messages.[1]
Mobile T1418 Software Discovery

TrickMo can collect a list of installed applications.[1]
Mobile T1630.001 Uninstall Malicious Application Sub-technique

TrickMo can uninstall itself from a device on command by abusing the accessibility service.[1]
Mobile T1516 Input Injection

TrickMo can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.[1]
Mobile T1644 Out of Band Data

TrickMo can be controlled via encrypted SMS message.[1]
Mobile T1426 System Information Discovery

TrickMo can collect device information such as network operator, model, brand, and OS version.[1]
Mobile T1513 Screen Capture

TrickMo can use the `MediaRecorder` class to record the screen when the targeted application is presented to the user, and can abuse accessibility features to record targeted applications to intercept transaction authorization numbers (TANs) and to scrape on-screen text.[1]
Mobile T1582 SMS Control

TrickMo can delete SMS messages.[1]
Mobile T1533 Data from Local System

TrickMo can steal pictures from the device.[1]
Mobile T1633.001 System Checks Sub-technique

TrickMo can detect if it is running on a rooted device or an emulator.[1]
Mobile T1406 Obfuscated Files or Information

TrickMo contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java’s `PBEWithMD5AndDES` algorithm.[1]
Relationship explorer

All related ATT&CK context

uses · Technique T1624.001: Broadcast Receivers Mobile uses · Technique T1422.001: Internet Connection Discovery Mobile uses · Technique T1422: System Network Configuration Discovery Mobile uses · Technique T1629.002: Device Lockout Mobile uses · Technique T1437.001: Web Protocols Mobile uses · Technique T1422.002: Wi-Fi Discovery Mobile uses · Technique T1636.004: SMS Messages Mobile uses · Technique T1418: Software Discovery Mobile uses · Technique T1630.001: Uninstall Malicious Application Mobile uses · Technique T1516: Input Injection Mobile uses · Technique T1644: Out of Band Data Mobile uses · Technique T1426: System Information Discovery Mobile uses · Technique T1513: Screen Capture Mobile uses · Technique T1582: SMS Control Mobile uses · Technique T1533: Data from Local System Mobile uses · Technique T1633.001: System Checks Mobile uses · Technique T1406: Obfuscated Files or Information Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
d8d3382bf9f37cc8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle d8d3382bf9f3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    SecurityIntelligence TrickMo

    P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.

    Open source URL
  2. [2]
    mitre-attack S0427
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use