New Variant of TrickMo Android Banking Trojan Moves to TON Blockchain
In a noteworthy development, a new variant of the TrickMo Android banking trojan has transitioned its primary command-and-control (C2) transport onto The Open Network (TON) Blockchain. This strategic shift enables the malware to route its communications through the decentralized overlay’s .adnl identities, rendering traditional domain takedown efforts largely ineffective. Such advancements in cybercriminal tactics exemplify the evolving landscape of digital threats.
Dissecting the New Variant: TrickMo C
This variant, identified by cybersecurity firm ThreatFabric and dubbed TrickMo C, has been actively targeting banking and wallet users in key European markets—namely France, Italy, and Austria—during the months of January and February 2026. These findings come from a detailed analysis conducted by ThreatFabric’s Mobile Threat Intelligence Team, highlighting the trojan’s aggressive campaign in recent months.
Telemetry data gathered by researchers indicates that TrickMo C is progressively replacing its predecessor within operator campaigns. Notably, it employs TikTok-themed lures distributed via Facebook ads, thereby leveraging popular social media platforms to capture the interest of potential victims. This method of engagement illustrates the extent to which cybercriminals will go to ensure the effectiveness of their schemes.
TrickMo is classified as a device-takeover trojan that exploits Android’s accessibility service to provide operators with a real-time, interactive view of the compromised device. Its arsenal of capabilities is extensive, including credential phishing via WebView overlays, keylogging, screen streaming, full bidirectional remote control, and silent suppression of one-time-password (OTP) notifications. This malicious suite allows for a comprehensive compromise of the targeted devices, placing users’ sensitive information at risk.
A Decentralized Command Structure
The most significant aspect of this variant lies in its network design. According to ThreatFabric, the initial APK file initiates an embedded native TON proxy during the process launch, connecting the bot’s HTTP client through it. As a result, all C2 requests are directed to .adnl hostnames, which are resolved within the TON overlay rather than through conventional public DNS services. This technique effectively hides the trojan’s activities within a decentralized framework, complicating detection and mitigation efforts.
Any minimal clearnet lookups the bot conducts are rerouted through a public DNS-over-HTTPS endpoint, ensuring these queries never reach the device’s local resolver. This sophisticated design renders traditional domain takedown strategies significantly less effective, as the operator endpoints exist as TON identities within the decentralized network. At the network’s edge, traffic generated by the trojan becomes indistinguishable from that of any other application utilizing TON, posing a challenge to cybersecurity efforts.
ThreatFabric has noted that the TON Blockchain is a legitimate decentralized platform initially developed for Telegram. The firm emphasized that the use of this technology by TrickMo’s operators represents an abuse of the platform by malicious actors, rather than any involvement from the TON project itself.
Transformative Network Capabilities
In addition to its communication system, the TrickMo C variant introduces a network-operative subsystem that transforms infected handsets into programmable network pivots. This transformation allows operators to execute five key commands—curl, dnslookup, ping, telnet, and traceroute—directly from the victim’s device. These command functionalities provide operators with reconnaissance capabilities that can be exploited within any corporate or home network to which the compromised device connects.
Furthermore, a secondary set of commands equips the trojan with socket-level tunneling features through an embedded SSH client. Coupled with an on-device SOCKS5 proxy that requires username and password authentication, this complex arrangement further complicates detection efforts. When synergized, these capabilities create an authenticated programmable network exit on the victim’s device, ensuring that all outbound traffic appears to originate from the victim’s IP address. This functionality has significant implications for bypassing IP-based fraud detection mechanisms.
Moreover, the TrickMo C variant requests comprehensive Near Field Communication (NFC) permissions and includes the Pine hooking framework. Although neither of these capabilities is utilized in the current iteration of the malware, ThreatFabric considers them reserved features, indicating potential enhancements that could be delivered in future runtime updates.
Conclusion
The emergence of TrickMo C underscores the escalating sophistication of mobile malware and the ongoing challenges faced by cybersecurity defenses. With its utilization of decentralized technologies, it presents a difficult hurdle for traditional countermeasures. As cybercriminals continue to innovate, it becomes increasingly vital for users and organizations to remain vigilant and informed about evolving threats in the digital landscape.