TrickMo Android Malware Expands Network Operations
A sophisticated new version of the TrickMo Android banking trojan has emerged, utilizing The Open Network (TON) for its command-and-control (C2) operations. Security researchers from ThreatFabric have identified this variant, which was active between January and February 2026, targeting users in France, Italy, and Austria.
Enhanced Network Capabilities
The latest iteration of TrickMo introduces advanced network features, allowing compromised devices to act as programmable pivots and exit nodes in a network. This variant continues to use a runtime-loaded APK, known as dex.module, which now includes enhanced functionalities such as reconnaissance, SSH tunnelling, and SOCKS5 proxying, according to a report by ThreatFabric shared with The Hacker News.
This newly observed behavior signifies a strategic evolution from its original design, which primarily focused on exploiting Android’s accessibility services to hijack one-time passwords (OTPs) and phish for credentials, among other malicious activities.
Distribution and Architecture Shifts
TrickMo’s latest versions, referred to as TrickMo C, are disseminated via phishing websites and dropper applications. These droppers disguise themselves as adult versions of popular apps like TikTok, while the malware itself impersonates Google Play Services. The architecture has now shifted to leverage the TON decentralized blockchain, ensuring more covert C2 communications.
ThreatFabric reports that TrickMo integrates a native TON proxy, which operates on a loopback port initiated at the process start. This setup allows all C2 requests to be routed through .adnl hostnames resolved via the TON network, effectively blending malicious traffic with legitimate TON activity.
Operational Expansion and Future Developments
The malware’s subsystem now supports a variety of commands typically used for network reconnaissance, such as curl, dnslookup, and ping. This enhancement effectively transforms the malware from a simple banking trojan into a tool for managed network foothold, providing attackers with a remote shell-equivalent capability.
Additionally, a SOCKS5 proxy feature enables the infected device to serve as a network exit node, circumventing IP-based fraud detection systems. Despite these advancements, the malware also contains dormant features suggesting potential future expansions, including the Pine hooking framework and NFC-related permissions.
ThreatFabric highlights that by using embedded local TON proxies, TrickMo significantly reduces the effectiveness of traditional network-blocking and takedown efforts. This development marks a concerning shift in the operational capabilities of malware, emphasizing the need for robust cybersecurity measures to protect against evolving threats.
