A new TrickMo Android banking trojan variant targeted banking and cryptocurrency wallet users in France, Italy and Austria between January and February 2026, and used The Open Network for command-and-control, according to a technical analysis from ThreatFabric.
KEY FACTS
- Malware family TrickMo is a device takeover trojan active since late 2019.
- New channel The latest version uses TON overlay communications for C2.
- Distribution It spreads through phishing sites and dropper apps that fetch a runtime-loaded APK.
- Added tools The malware includes reconnaissance, SSH tunnelling and SOCKS5 proxying functions.
The report says the latest variant, labeled TrickMo C, keeps the runtime-loaded APK model used by earlier versions, but adds network-focused functions that let infected phones act as programmable pivots. The dropper apps pose as adult-friendly TikTok variants on Facebook, while the malware itself impersonates Google Play Services.
ThreatFabric said the malware starts an embedded native TON proxy on a loopback port and routes its HTTP traffic through it, with outbound requests addressed to .adnl hostnames. The setup is designed to make traffic blend with legitimate TON activity and reduce the impact of blocking or takedown efforts.
Previous versions of dex.module used a socket.io-based channel for accessibility-driven remote control, but the new version adds commands such as curl, dnslookup, ping, telnet and traceroute. The report says that gives operators a remote shell-like view from the victim’s network position, including any internal corporate or home network the device is connected to.
TrickMo also includes a SOCKS5 proxy that can route malicious traffic through a compromised device and help defeat IP-based fraud detection on banking, e-commerce and cryptocurrency services. Two dormant features, one tied to the Pine hooking framework and another involving NFC permissions, are present but not implemented.
WHY IT MATTERS
The latest variant shows how Android banking malware is expanding beyond credential theft into network access and traffic relay functions. That broadens the operational risk for victims and can make detection and blocking harder for defenders.