TrickMo Android banker adopts TON blockchain for covert comms

At a glance:

• A new TrickMo.C variant uses The Open Network (TON) .adnl addresses routed through an embedded local TON proxy on infected devices for stealthy C2 communications.
• The malware disguises itself as TikTok or streaming apps and targets banking and cryptocurrency wallets in France, Italy, and Austria.
• New commands include curl, dnsLookup, ping, telnet, traceroute, SSH tunneling, remote port forwarding, local port forwarding, and authenticated SOCKS5 proxy support.

A banking trojan evolves with blockchain-powered stealth

TrickMo, the Android banking malware first spotted in September 2019, has undergone another major evolution. ThreatFabric today detailed a new variant — tracked as Trickmo.C — that incorporates The Open Network (TON) as its command-and-control backbone, a move that significantly complicates detection and takedown efforts for defenders.

The researchers have been observing this version since January. The malware is disguised as TikTok or streaming apps and specifically targets banking and cryptocurrency wallets belonging to users in France, Italy, and Austria. That geographic focus aligns with TrickMo's long-running pattern of European campaigns, though Zimperium's October 2024 analysis found the malware targeting sensitive data from users worldwide across 40 variants delivered via 16 droppers and communicating with 22 distinct C2 infrastructures.

How TON changes the threat model

TON is a decentralized peer-to-peer network originally developed around the Telegram ecosystem. It allows devices to communicate with the web via an encrypted overlay network rather than through publicly exposed internet servers. Instead of relying on conventional domain names, TON uses a 256-bit identifier, which hides the IP address and communication port and makes the real server infrastructure far more difficult to identify, block, or take down.

"Traditional domain takedowns are largely ineffective because the operator's endpoints do not rely on the public DNS hierarchy and instead exist as TON .adnl identities resolved inside the overlay network itself," ThreatFabric explains in its report. "Traffic-pattern detection at the network edge sees only TON traffic, which is encrypted and indistinguishable from any other TON-enabled application's outbound flow."

The variant communicates with the operator through .adnl addresses routed through an embedded local TON proxy running directly on the infected device. This means network-level inspection tools that rely on identifying traditional C2 server IPs or domains will struggle to flag the traffic, since it blends in with legitimate TON-enabled app traffic.

What the new variant can do

TrickMo is a modular piece of malware with a two-stage design: a host APK that serves as the loader and persistence layer, and a runtime-downloaded APK module that implements the offensive functionality. The full range of TrickMo's capabilities includes phishing overlays to harvest banking credentials, keylogging, screen recording, live screen streaming, SMS interception, OTP notification suppression, clipboard modification, notification filtering, and screenshot capturing.

The new variant adds the following commands and capabilities:

• curl
• dnsLookup
• ping
• telnet
• traceroute
• SSH tunneling
• remote port forwarding
• local port forwarding
• authenticated SOCKS5 proxy support

ThreatFabric also notes the presence of the Pine runtime hooking framework, previously used to intercept networking and Firebase operations, though it is currently inactive because no hooks are installed. The malware declares extensive NFC permissions and reports NFC capabilities in its telemetry, but the researchers did not find any active NFC functionality.

What users and defenders should know

Android users are advised to download software only from Google Play, limit the number of installed apps on their phones, use apps only from reputable publishers, and ensure that Play Protect is active at all times. The shift to TON-based communications means that conventional sinkholing or domain-blacklist strategies are less effective against this campaign, raising the bar for both endpoint protection and network security monitoring.

For enterprises and financial institutions operating in the affected regions, the combination of phishing overlays, live screen streaming, and OTP suppression capabilities makes this variant particularly dangerous — it can intercept one-time passwords in real time while simultaneously recording the victim's screen to capture credentials entered manually.

Tags and context

trickmo malware, TON blockchain, Android banking trojan, ThreatFabric, Trickmo.C, Europe cyberattacks