A new TrickMo Android banking malware variant is targeting users in Europe and uses the TON blockchain for stealthy command and control communications, according to a technical analysis by ThreatFabric. The researchers said the version, tracked as Trickmo.C, has been seen since January and is being used against users in France, Italy and Austria.
KEY FACTS
- Disguise The malware is posing as TikTok or streaming apps.
- Communication It uses .ADNL addresses and an embedded local TON proxy on infected devices.
- Targets Banking credentials and cryptocurrency wallets are among the aims.
- New commands The variant adds curl, dnsLookup, ping, telnet, traceroute, SSH tunneling, port forwarding and authenticated SOCKS5 proxy support.
The report says TON is a decentralized peer to peer network that hides server details behind encrypted overlay traffic. That design makes traditional domain takedowns less effective because operator endpoints do not depend on public DNS.
TrickMo has a two stage design with a loader APK and a runtime downloaded module that carries the malicious features. Its functions include phishing overlays, keylogging, screen recording, live screen streaming, SMS interception, OTP notification suppression, clipboard modification, notification filtering and screenshot capture.
ThreatFabric also noted Pine runtime hooking framework code in the sample, but said it is inactive because no hooks are installed. The malware declares NFC permissions and reports NFC capabilities in telemetry, although the researchers did not find active NFC functionality.
WHY IT MATTERS
The shift to TON can make the malware harder to disrupt and more difficult to detect at the network edge. Android users are advised to install apps only from Google Play or other reputable publishers and keep Play Protect enabled.