Ethical Hacking News
Android banking Trojan TrickMo has evolved significantly, integrating the TON network into its command-and-control infrastructure. This update marks a major concern for security experts as it expands beyond simple banking fraud to become a flexible cybercrime platform capable of remote surveillance and other malicious activities. As TrickMo continues to adapt and evolve, it's essential to stay vigilant and develop new strategies for tackling this threat.
TrickMo has integrated the TON (The Open Network) network into its command-and-control infrastructure, making it harder to detect and take down. The malware has embedded a TON proxy locally on the infected phone to blend in with legitimate traffic. TrickMo expands beyond simple banking fraud, allowing operators to perform DNS lookups, ping systems, trace routes, and run HTTP requests directly from the infected device. The latest variant is a flexible cybercrime platform capable of remote surveillance, network pivoting, fraud support, and future feature expansion. The malware's modular design allows attackers to add new features without reinstalling the malware, making it even more adaptable. TrickMo's integration with the TON network makes detection and takedown efforts far more difficult due to its use of opaque base32 strings under a .adnl pseudo-TLD.
Android banking Trojan TrickMo has been evolving rapidly, and its latest update is a significant concern for security experts. The malware has integrated the TON (The Open Network) network, a decentralized blockchain platform originally built for Telegram, into its command-and-control infrastructure. This move marks a significant shift in the malware's architecture, making it harder to detect and take down.
ThreatFabric researchers have been monitoring TrickMo since its initial release and have identified several key features that make this variant particularly worrisome. The malware is designed to be stealthy, with an embedded TON proxy running locally on the infected phone. This proxy helps traffic blend in with legitimate TON activity, making it challenging for defenders to distinguish malicious traffic from normal encrypted network usage.
Beyond its improved stealth capabilities, TrickMo also expands beyond simple banking fraud. Researchers have discovered advanced networking capabilities built directly into the malware, allowing operators to perform DNS lookups, ping systems, trace routes, and run HTTP requests directly from the infected device. This effectively turns compromised phones into reconnaissance tools inside corporate or home networks.
The latest TrickMo variant is particularly concerning due to its professional evolution. It is no longer just a banking trojan stealing credentials but has become a flexible cybercrime platform capable of remote surveillance, network pivoting, fraud support, and future feature expansion. The malware's modular design allows attackers to add new features without reinstalling the malware, making it even more adaptable.
One of the most significant changes in TrickMo is its migration of command-and-control traffic onto the TON network. This move marks a significant departure from traditional internet infrastructure, as operators now abuse the legitimate blockchain platform's infrastructure without involvement or responsibility. The TON network resolves host addresses using opaque base32 strings under a .adnl pseudo-TLD, making detection and takedown efforts far more difficult.
Researchers believe that this updated version is gradually replacing older TrickMo variants already active in the wild. While many of its visible features remain similar, the malware's internal structure has changed significantly. The latest update demonstrates that malware developers are responding to improved Android security measures by adopting smarter architectures, decentralized communications, and modular attack frameworks.
The evolution of TrickMo highlights a broader trend in mobile malware development. Instead of creating completely new malware families, attackers are redesigning existing platforms to survive longer, avoid detection, and give operators more control. This approach is particularly concerning as it suggests that the future of mobile malware will be characterized by stealthy, adaptable, and feature-rich threats.
In conclusion, TrickMo's integration with the TON network marks a significant milestone in its evolution. As security experts continue to monitor this threat, it becomes increasingly important to stay vigilant and adapt our defenses accordingly. The decentralized nature of the TON network makes it challenging to detect and take down TrickMo, making it essential to develop new strategies for tackling such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Evolution-of-TrickMo-A-Decentralized-Android-Banking-Trojan-with-TON-Network-Integration-ehn.shtml
https://securityaffairs.com/192003/malware/android-banking-trojan-trickmo-evolves-using-ton-network-for-c2.html
Published: Tue May 12 02:57:28 2026 by llama3.2 3B Q4_K_M
