TrickMo Android Banker Adopts TON Blockchain for Covert Communications
A new variant of the TrickMo Android banking malware is using The Open Network (TON) blockchain to hide its command-and-control traffic, allowing it to evade traditional network detection and takedown efforts.

A new variant of the TrickMo Android banking malware, identified by researchers as 'Trickmo.C', has begun utilizing The Open Network (TON) blockchain to facilitate stealthy command-and-control (C2) communications BleepingComputer. First observed in 2019, TrickMo has undergone continuous development, with the latest iteration specifically targeting users in France, Italy, and Austria through malicious apps disguised as TikTok or streaming services BleepingComputer.
The technical core of this update involves the use of .ADNL addresses routed through a local TON proxy embedded directly within the infected device. By leveraging TON’s decentralized peer-to-peer network, the malware operators can bypass traditional DNS hierarchies, effectively hiding the IP addresses and communication ports of their infrastructure BleepingComputer. ThreatFabric researchers note that this approach renders standard domain takedowns ineffective, as the traffic is encrypted and appears indistinguishable from legitimate TON-enabled application flows at the network edge BleepingComputer.
TrickMo maintains a modular, two-stage architecture consisting of a host APK for persistence and a secondary, runtime-downloaded module for offensive operations. Beyond its established capabilities—which include phishing overlays, keylogging, screen recording, SMS interception, and OTP suppression—the new variant introduces advanced networking commands BleepingComputer. These include support for curl, dnsLookup, ping, telnet, traceroute, SSH tunneling, and remote or local port forwarding, alongside authenticated SOCKS5 proxy support BleepingComputer.
While the malware also declares extensive NFC permissions and includes the Pine runtime hooking framework, researchers have observed no active NFC functionality or active hooks at this time BleepingComputer. The campaign remains active, with ThreatFabric having tracked this specific version since January 2026. This follows a broader trend of persistent activity, as Zimperium previously analyzed 40 variants of the malware across 16 different droppers in October 2024 BleepingComputer.
To mitigate the risk of infection, users are advised to restrict app installations to the official Google Play store and ensure that Google Play Protect remains active at all times BleepingComputer. Experts also recommend limiting the total number of applications on mobile devices and verifying the reputation of publishers before installation BleepingComputer.
The adoption of decentralized infrastructure like TON by established banking trojans represents a significant evolution in malware resilience. By moving away from public internet servers, threat actors are increasingly complicating the efforts of security researchers and law enforcement to identify and dismantle C2 infrastructure. This shift suggests that future mobile threats will likely prioritize obfuscation techniques that blend malicious traffic with legitimate decentralized network protocols.