Cybersecurity researchers have reported a new version of TrickMo, an Android banking Trojan that uses The Open Network (TON) for command and control (C2).
This new variant was observed by ThreatFabric from January to February 2026 and was observed actively targeting users of banks and crypto wallets in France, Italy, and Austria.
“TrickMo relies on a runtime-loaded APK (dex.module), which was also used in previous variants, but has been updated with new features that add new network-oriented features such as reconnaissance, SSH tunneling, and SOCKS5 proxy functionality that allows infected devices to act as programmable network pivots and traffic exit nodes,” the Dutch mobile security company said in a report shared with The Hacker News.
TrickMo is the name assigned to device takeover (DTO) malware that has been active since late 2019. The malware was first reported by CERT-Bund and IBM X-Force and described its ability to exploit Android accessibility services to hijack one-time passwords (OTPs).
It also comes equipped with a wide range of features such as credential phishing, keystroke logging, screen recording, facilitating live screen streaming, and SMS message interception, essentially giving operators complete remote control of the device.
The latest version, labeled TrickMo C, is distributed via a step-by-step website and dropper app. The latter acts as a conduit for a dynamically loaded APK (“dex.module”) obtained at runtime from attacker-controlled infrastructure. A notable change in architecture involves the use of the TON decentralized blockchain for stealth C2 communications.
“TrickMo embeds a native TON proxy that launches on the loopback port when the host APK starts the process,” ThreatFabric said. “The bot’s HTTP client connects through that proxy, so all outgoing command and control requests are addressed to the .adnl hostname and resolved through the TON overlay.”
A dropper app containing malware pretends to be an adult version of TikTok through Facebook, but the actual malware impersonates Google Play Services –
com.app16330.core20461 or com.app15318.core1173 (dropper) Uncle.collop416.wifekin78 or nibong.lida531.butler836 (TrickMo)
While previous versions of “dex.module” implemented accessibility-driven remote control functionality through socket.io-based channels, the new version leverages a network operations subsystem that turns the malware into a controlled scaffolding tool rather than a traditional banking Trojan.
This subsystem supports commands such as curl, dnslookup, ping, telnet, and traceroute, providing attackers with “the equivalent of a remote shell for network reconnaissance from the victim’s network location, including the corporate and home networks to which the device is currently associated.”
Another key feature is a SOCKS5 proxy that turns compromised devices into network exit nodes for routing malicious traffic while disabling IP-based fraud detection signatures in banking, e-commerce, and cryptocurrency exchange services.
Additionally, TrickMo includes two hibernation functions that bundle the Pine hooking framework and declare extensive NFC-related permissions. However, neither is actually implemented. This may indicate that the core developers are looking to extend the functionality of this Trojan in the future.
“Instead of relying on traditional DNS or public internet infrastructure, this malware communicates through an .adnl endpoint that is routed through an embedded local TON proxy, reducing the effectiveness of traditional takedown and network blocking efforts while mixing traffic with legitimate TON activity,” ThreatFabric said.
“This latest variant extends the operational role of infected devices through SSH tunneling and authenticated SOCKS5 proxies, effectively turning infected phones into programmable network pivots and traffic exit nodes that originate connections from the victim’s own network environment.”
Source link
