Ethical Hacking News
A new variant of the TrickMo Android banking trojan has been discovered, utilizing The Open Network (TON) for command-and-control communications and SOCKS5 proxying capabilities. This latest version of the malware poses significant security risks to Android users worldwide, as it enables infected devices to bypass IP-based fraud-detection signatures on banking, e-commerce, and cryptocurrency exchange services.
ThreatFabric has discovered a new variant of the TrickMo Android banking trojan that uses The Open Network (TON) for command-and-control communications. The malware has incorporated new network-oriented functionality, including reconnaissance, SSH tunnelling, and SOCKS5 proxying capabilities. Infected devices can function as programmable network pivots and traffic-exit nodes, allowing attackers to bypass IP-based fraud-detection signatures. The TrickMo malware has evolved from its initial use of Android's accessibility services to include features designed to phish for credentials and grant remote control over devices. The new variant uses a TON decentralized blockchain for stealthy C2 communications, making it challenging for security researchers to detect and mitigate.
ThreatFabric, a Dutch mobile security company, has recently discovered a new variant of the TrickMo Android banking trojan that leverages The Open Network (TON) for command-and-control (C2) communications. This latest version of the malware has been actively targeting banking and cryptocurrency wallet users in France, Italy, and Austria, showcasing the evolving tactics, techniques, and procedures (TTPs) employed by cybercriminals to evade detection.
According to ThreatFabric's report, TrickMo relies on a runtime-loaded APK (dex.module), which is also used by its previous variant. However, this updated version of the malware has incorporated new network-oriented functionality, including reconnaissance, SSH tunnelling, and SOCKS5 proxying capabilities. These features enable infected devices to function as programmable network pivots and traffic-exit nodes, allowing attackers to bypass IP-based fraud-detection signatures on banking, e-commerce, and cryptocurrency exchange services.
The TrickMo malware has been around since late 2019, initially gaining notoriety for its ability to abuse Android's accessibility services to hijack one-time passwords (OTPs). Over time, the malware has evolved to include a wide range of features designed to phish for credentials, log keystrokes, record screen, facilitate live screen streaming, intercept SMS messages, and grant complete remote control over devices. The latest versions of TrickMo, labeled TrickMo C, are distributed via phishing websites and dropper apps that serve as conduits for dynamically loaded APKs ("dex.module") retrieved at runtime from attacker-controlled infrastructure.
One notable feature of the new TrickMo variant is its use of the TON decentralized blockchain for stealthy C2 communications. According to ThreatFabric, TrickMo carries an embedded native TON proxy that starts on a loopback port at process start, effectively shielding outbound command-and-control requests from traditional DNS and public internet infrastructure. This approach reduces the effectiveness of traditional takedown and network-blocking efforts while making malicious traffic blend with legitimate TON activity.
Furthermore, the malware communicates through .adnl endpoints routed via an embedded local TON proxy, a tactic that may prove challenging for security researchers to detect and mitigate. The TrickMo variant also includes two dormant features that bundle the Pine hooking framework and declare extensive NFC-related permissions, but neither of them are currently implemented. This suggests that the core developers are planning to expand on the trojan's capabilities in the future.
In addition to its advanced network-oriented functionality, the new TrickMo variant boasts a SOCKS5 proxy that turns compromised devices into programmable network pivots and traffic-exit nodes whose connections originate from the victim's own network environment. This allows attackers to evade IP-based fraud-detection signatures on banking, e-commerce, and cryptocurrency exchange services, effectively turning infected phones into powerful tools for espionage.
The TrickMo malware has significant implications for Android users worldwide, as it highlights the ongoing threat posed by sophisticated mobile banking trojans. As cybercriminals continue to evolve their tactics and techniques, it is essential for security researchers, policymakers, and device manufacturers to stay vigilant and develop effective countermeasures to combat these emerging threats.
In light of this latest development, ThreatFabric has emphasized the need for increased awareness and vigilance among Android users. As the use of The Open Network (TON) for command-and-control communications becomes more widespread in cybercrime campaigns, it is crucial that security researchers and law enforcement agencies develop strategies to detect and disrupt these operations.
In conclusion, the discovery of a new TrickMo variant using TON C2 and SOCKS5 to create Android network pivots underscores the evolving landscape of mobile malware threats. As TrickMo continues to evolve, it will be essential for device manufacturers, security researchers, and policymakers to collaborate on developing effective countermeasures to combat these sophisticated cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-TrickMo-Variant-Uses-TON-C2-and-SOCKS5-to-Create-Android-Network-Pivots-ehn.shtml
https://thehackernews.com/2026/05/new-trickmo-variant-uses-ton-c2-and.html
Published: Tue May 12 09:44:54 2026 by llama3.2 3B Q4_K_M
