TrickMo Android banker adopts TON for covert C2

A new TrickMo Android banking malware variant uses TON blockchain-based comms for stealthy command-and-control, disguising itself as TikTok or streaming apps.

A fresh wave of Android banking malware tactics is emerging, with TrickMo’s latest variant turning to The Open Network (TON) to hide its command-and-control traffic.

The campaign. which has targeted users across Europe. uses the TrickMo Android banker’s continuing evolution into a more covert communications model.. Researchers say the malware is delivered in ways that make it appear legitimate. including disguises as TikTok or streaming apps. while it goes after banking and cryptocurrency wallet users in France. Italy. and Austria.

TrickMo was first identified in September 2019 and, despite that early discovery, it has kept moving.. Since then, it has continued to receive updates, indicating an active development cycle rather than a one-off operation.. That pattern matters because it suggests defenders are not just chasing a single sample but a living toolkit.

In October 2024, Zimperium analyzed 40 variants of the malware.. Those samples were delivered through 16 droppers and communicated with 22 distinct command-and-control (C2) infrastructures.. The analysis also highlighted that the campaigns were broad enough to target sensitive data belonging to users worldwide.

ThreatFabric later tracked a new development labeled ‘Trickmo.C,’ saying it has been monitoring this version since January. The most notable shift in this variant is its operator communications layer, which now relies on TON-based messaging rather than conventional C2 approaches.

The malware’s new feature centers on how it talks to its operator.. ThreatFabric reports that the communication uses .ADNL addresses routed through an embedded local TON proxy running on the infected device.. That design is intended to keep the operator endpoints harder to locate through traditional internet exposure.

TON itself is described as a decentralized peer-to-peer network originally developed around the Telegram ecosystem. Rather than relying on publicly exposed internet servers for web communications, devices can exchange data through an encrypted overlay network.

Technically, ThreatFabric points to how TON uses a 256-bit identifier instead of a standard domain. In practice, that means the IP address and the communication port are obscured, making it more difficult for defenders to identify, block, or take down the real infrastructure.

ThreatFabric also argues that conventional takedowns are often less effective against this kind of setup. The report says operators do not depend on the public DNS hierarchy; instead, they maintain endpoints as TON .adnl identities that are resolved within the overlay network itself.

From a defensive standpoint, the report adds that traffic-pattern detection at the network edge may see only TON traffic.. Because that traffic is encrypted and structured to blend with other TON-enabled application flows. it becomes harder to distinguish malicious activity from legitimate outbound behavior using surface-level network observation.

Under the hood, TrickMo is built as modular malware with a two-stage design. One APK acts as the host, handling the loader and persistence layer, while a runtime-downloaded APK module carries the actual offensive functionality.

The malware targets banking credentials through phishing-style overlays, and it pairs that with surveillance capabilities. ThreatFabric lists keylogging and screen recording, as well as live screen streaming, which can help an operator capture what a victim sees and types.

TrickMo also focuses on communication and account recovery workflows.. The reported functions include SMS interception, OTP notification suppression, clipboard modification, notification filtering, and screenshot capturing.. Taken together, these features are designed to disrupt authentication flows and reduce the chance victims notice suspicious activity.

ThreatFabric says the current variant adds additional commands and capabilities. expanding the range of what the operator can do on an infected device.. The newly reported commands include curl. dnsLookup. ping. telnet. traceroute. SSH tunneling. remote port forwarding. local port forwarding. and authenticated SOCKS5 proxy support.

Researchers have also spotted the Pine runtime hooking framework in the malware’s environment. They note that Pine was previously used to intercept networking and Firebase operations, but in this case it is currently inactive, with no hooks installed.

Beyond network behavior, TrickMo’s permissions also draw attention.. The malware declares extensive NFC permissions and reports NFC capabilities in telemetry. but ThreatFabric did not find evidence of any active NFC functionality.. That mismatch can be a useful signal for defenders. suggesting telemetry or permissions may be present even when certain features aren’t being exercised.

For Android users, guidance remains practical even as the communications layer evolves. The report advises downloading software only from Google Play, limiting the number of installed apps, sticking to apps from reputable publishers, and keeping Play Protect enabled.

In a broader sense. the shift toward TON-based communications reflects a recurring malware trend: operators look for infrastructure that is harder to map. block. or dismantle.. When C2 becomes encrypted overlay traffic with identifiers that don’t resemble standard domains. defenders are forced to rely more on endpoint signals. behavior monitoring. and tighter app ecosystem hygiene rather than expecting straightforward domain-based disruption to work.

TrickMo Android malware TON blockchain C2 Android banking trojan mobile phishing overlays command-and-control evasion cybersecurity alerts