Cybersecurity researchers have identified a new variant of the TrickMo Android banking trojan that introduces advanced network related functionality and command and control communication through The Open Network (TON). According to a report published by ThreatFabric, the malware variant was observed between January and February 2026 and has actively targeted banking and cryptocurrency wallet users in France, Italy, and Austria. The updated malware version adds capabilities such as SSH tunnelling, SOCKS5 proxying, and network reconnaissance, significantly expanding the operational functionality of infected Android devices beyond traditional banking fraud activities.
TrickMo has been active since late 2019 and was initially identified by CERT Bund and IBM X Force due to its ability to exploit Android accessibility services for intercepting one time passwords and facilitating account takeover attempts. Over time, the malware evolved into a comprehensive device takeover platform capable of phishing credentials, recording screens, logging keystrokes, intercepting SMS messages, and enabling remote control of infected devices. ThreatFabric reported that the latest version, referred to as TrickMo C, continues to rely on a dynamically loaded APK module known as “dex.module,” which is downloaded during runtime from attacker controlled infrastructure. However, one of the most significant architectural changes in the latest variant is the integration of TON blockchain infrastructure for stealthier command and control communications. Researchers explained that the malware includes an embedded native TON proxy that routes outgoing requests through .adnl endpoints across the TON overlay network, making malicious traffic more difficult to detect and disrupt using traditional network monitoring and takedown methods.
The malware is reportedly distributed through phishing websites and dropper applications disguised as modified adult oriented versions of TikTok promoted through Facebook campaigns. The dropper applications identified by researchers included package names such as “com.app16330.core20461” and “com.app15318.core1173,” while the malicious TrickMo payload itself impersonated Google Play Services using package names including “uncle.collop416.wifekin78” and “nibong.lida531.butler836.” Earlier versions of the malware relied on accessibility driven remote control functions using socket.io based communication channels, but the latest release shifts toward a more network focused operational model. ThreatFabric stated that the malware now supports commands including curl, ping, dnslookup, telnet, and traceroute, effectively giving attackers the ability to perform network reconnaissance directly from the victim’s device and from any connected home or corporate network environment.
Researchers also highlighted the malware’s integrated SOCKS5 proxy capability, which allows infected devices to function as network exit nodes capable of routing malicious traffic through the victim’s own internet connection. This functionality may help attackers evade IP based fraud detection systems used by banking platforms, e commerce services, and cryptocurrency exchanges. In addition, ThreatFabric identified dormant functionality within the malware that references the Pine hooking framework and extensive NFC related permissions, although these features are not yet actively implemented. The presence of these components suggests that future versions of TrickMo may further expand their capabilities in mobile device manipulation and payment related attacks. ThreatFabric stated that by using decentralized TON infrastructure combined with SSH tunnelling and authenticated SOCKS5 proxying, the malware transforms compromised Android devices into programmable network pivots that can be leveraged for broader cybercriminal operations while blending malicious communications with legitimate TON network activity.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
