New TrickMo Android Trojan Variant Uses TON Blockchain for Stealthy C2 and Turns Devices into Network Pivots

Cybersecurity researchers have uncovered a new variant of the TrickMo Android banking trojan that marks a significant evolution in mobile malware capabilities. Dubbed TrickMo C by ThreatFabric, the malware leverages The Open Network (TON) blockchain for stealthy command-and-control (C2) communications and transforms infected devices into programmable network pivots and traffic-exit nodes. The variant was observed actively targeting banking and cryptocurrency wallet users in France, Italy, and Austria between January and February 2026.

TrickMo has been active since late 2019, initially flagged by CERT-Bund and IBM X-Force for its ability to abuse Android's accessibility services to hijack one-time passwords (OTPs). Over the years, it has evolved to include credential phishing, keylogging, screen recording, live screen streaming, and SMS interception, granting attackers complete remote control of infected devices. The new TrickMo C variant, however, represents a strategic shift from a traditional banking trojan to a more versatile foothold tool.

The most notable architectural change in TrickMo C is its use of the TON decentralized blockchain for C2 communications. The malware carries an embedded native TON proxy that starts on a loopback port when the host APK runs. Every outbound C2 request is addressed to an .adnl hostname and resolved through the TON overlay network. This approach reduces the effectiveness of traditional takedown and network-blocking efforts, as the traffic blends with legitimate TON activity and avoids reliance on conventional DNS and public internet infrastructure.

TrickMo C is distributed via phishing websites and dropper apps that masquerade as adult-friendly versions of TikTok, promoted through Facebook. The actual malware impersonates Google Play Services using package names such as com.app16330.core20461 or com.app15318.core1173 for the dropper, and uncle.collop416.wifekin78 or nibong.lida531.butler836 for the TrickMo payload. At runtime, the dropper retrieves a dynamically loaded APK ("dex.module") from attacker-controlled infrastructure.

The new dex.module replaces the previous socket.io-based remote control channel with a network-operative subsystem that includes commands like curl, dnslookup, ping, telnet, and traceroute. This gives attackers a remote shell-equivalent for network reconnaissance from the victim's network position, including any internal corporate or home network the device is associated with. Additionally, the malware includes a SOCKS5 proxy that turns the compromised device into a network exit node, routing malicious traffic while defeating IP-based fraud-detection signatures on banking, e-commerce, and cryptocurrency exchange services.

ThreatFabric also noted that TrickMo C includes two dormant features: the Pine hooking framework and extensive NFC-related permissions, neither of which are currently implemented. This suggests the developers are planning to expand the trojan's capabilities in the future, potentially enabling NFC-based attacks or more advanced hooking techniques. The combination of SSH tunnelling and authenticated SOCKS5 proxying effectively turns compromised phones into programmable network pivots whose connections originate from the victim's own network environment, making detection significantly harder.

The emergence of TrickMo C highlights a growing trend in mobile malware: the convergence of banking trojan functionality with network pivot capabilities. By leveraging blockchain-based C2 and turning infected devices into exit nodes, attackers can bypass traditional fraud detection and maintain persistent, stealthy access. Organizations and users in the affected regions should remain vigilant and ensure that Android devices are protected against sideloaded applications and phishing campaigns.