A new variant of the TrickMo Android malware has emerged, posing a heightened threat to users of banking, wallet, and authenticator apps across Europe. This latest version is more elusive and effective, making it challenging for users and security systems to detect and mitigate.
Currently, the malware is distributed through fraudulent TikTok apps on Facebook campaigns and a deceptive application named ‘Live Streaming.’ Once installed, TrickMo manipulates users into granting accessibility permissions, effectively granting attackers full control over the device, thus turning it into a tool for cybercriminal activities.
How TrickMo Operates
Researchers from ThreatFabric have been monitoring this new variant since early 2026. They note that this is not a new malware family but a significant update to an existing platform. The malware targets users in countries such as France, Italy, and Austria, with a focus on gradually replacing its predecessor.
This variant of TrickMo is particularly dangerous because it goes beyond stealing credentials. It can record screens, log keystrokes, intercept SMS messages, and silently suppress notifications for one-time passwords, making it extremely difficult to detect fraudulent activities.
Technical Advancements in TrickMo
TrickMo transforms infected devices into network nodes, utilizing features like SSH tunneling and a SOCKS5 proxy. This setup allows the malware to reroute malicious traffic through the victim’s network, deceiving fraud detection systems at financial institutions into marking suspicious activities as legitimate.
Notably, TrickMo’s command-and-control infrastructure has shifted to The Open Network (TON), a decentralized peer-to-peer network. This move makes it difficult for security teams to locate and disable the malware’s communication channels, as the traditional methods of domain takedowns are ineffective against TON’s .adnl addresses.
Protective Measures Against TrickMo
TrickMo’s ability to mimic legitimate banking apps through fake login screens and intercept communication highlights the need for increased vigilance. Users are advised to avoid installing apps from unverified sources and to refrain from granting accessibility permissions to unfamiliar applications.
Financial institutions are encouraged to implement advanced mobile threat detection systems capable of identifying suspicious accessibility service usage and unusual tunneling activities. Regularly updating devices and monitoring for anomalies can also help in mitigating the risks posed by such sophisticated malware.
By understanding the evolving threat landscape and adopting proactive measures, both individual users and financial entities can better protect themselves from the TrickMo malware and similar cyber threats.
