top of page

TrickMo Android Trojan Evolves with TON Network C2 Infrastructure and SOCKS5 Pivoting

  • May 12
  • 3 min read

Key Findings


  • New TrickMo variant observed January-February 2026 targeting banking and cryptocurrency users in France, Italy, and Austria

  • Malware now routes command-and-control traffic through The Open Network (TON) blockchain instead of conventional internet infrastructure

  • Runtime-loaded APK module includes new network reconnaissance, SSH tunneling, and SOCKS5 proxy capabilities that turn infected devices into network pivots

  • Embedded TON proxy on infected phones makes malicious traffic blend with legitimate TON activity, complicating detection and takedown efforts

  • Advanced networking features enable attackers to perform DNS lookups, ping systems, trace routes, and conduct reconnaissance from victim's network position

  • Two dormant features suggest developers planning future capability expansion including NFC functionality


Background


TrickMo emerged as a device takeover malware in late 2019, earning early attention from CERT-Bund and IBM X-Force for its ability to abuse Android accessibility services. The trojan has evolved from a traditional banking credential stealer into a sophisticated platform for remote device control. Early variants demonstrated the ability to hijack one-time passwords, phish credentials, log keystrokes, record screens, facilitate live streaming, and intercept SMS messages. Distribution has historically relied on phishing websites and dropper apps that masquerade as legitimate applications like TikTok through Facebook ads.


Architectural Shift to TON


The most significant change in this latest variant involves moving command-and-control communications off the conventional internet entirely onto The Open Network. Rather than relying on standard DNS and public servers, TrickMo now communicates through .adnl endpoints routed via an embedded local TON proxy running on the infected device. This decentralized peer-to-peer overlay network, originally built for Telegram, uses its own routing and naming layer rather than the traditional DNS system. The approach dramatically reduces the effectiveness of traditional network-blocking and takedown efforts while making malicious traffic indistinguishable from legitimate TON activity.


Distribution and Masquerading


TrickMo C spreads through phishing websites and dropper applications that impersonate popular services. Dropper apps masquerade as adult-friendly versions of TikTok promoted on Facebook, while the actual malware payload poses as Google Play Services under package names like com.app16330.core20461. The malware itself uses obfuscated identifiers such as uncle.collop416.wifekin78 and nibong.lida531.butler836. This distribution method leverages social engineering to trick users into installing the initial dropper, which then retrieves the dynamically loaded APK module at runtime from attacker-controlled infrastructure.


Modular Design and Runtime Loading


The malware maintains a runtime-loaded APK approach labeled "dex.module" that grants operators significant flexibility in capability deployment. The main application functions primarily as a launcher and persistence layer, while additional malicious functionality downloads separately as modules. This architecture allows attackers to add new features without requiring victims to reinstall the malware, creating a resilient and adaptable platform that can evolve based on operational needs.


Network Reconnaissance and Pivoting


Beyond traditional banking trojan capabilities, the new variant introduces a network-operative subsystem that transforms compromised devices into reconnaissance tools. Operators can execute commands including curl for HTTP probing, dnslookup for DNS resolution, ping for network connectivity testing, telnet for service probing, and traceroute for network mapping. This functionality provides attackers with what ThreatFabric describes as a "remote shell-equivalent for network reconnaissance from the victim's network position," enabling them to map and probe internal corporate or home networks from the compromised device's vantage point.


SOCKS5 Proxying and Traffic Exit Nodes


The inclusion of authenticated SOCKS5 proxy functionality represents a significant operational upgrade. Compromised devices effectively become programmable network pivots and traffic-exit nodes, routing malicious traffic through the victim's own network environment. This capability defeats IP-based fraud-detection systems used by banking, e-commerce, and cryptocurrency exchange services by making attacks originate from legitimate residential or corporate networks rather than obvious attacker infrastructure.


Banking Trojan Capabilities


TrickMo retains all its traditional dangerous functionality despite architectural changes. With accessibility permissions granted, operators achieve near-complete remote control of the device. The malware can display fake banking login pages overlay legitimate apps, capture keystrokes as users type credentials, intercept SMS verification codes, monitor notifications, record video of screen activity, and remotely control the phone's interface. These capabilities remain the foundation for direct financial fraud against banking and cryptocurrency wallet users.


Future Development Indicators


The malware includes two dormant features that suggest developers are planning significant capability expansion. The first bundles the Pine hooking framework, while the second declares extensive NFC-related permissions. Neither feature is currently implemented or functional, indicating these represent planned additions for future variants. This forward-looking development approach demonstrates the malware authors' intent to continuously evolve the platform with new attack vectors.


Evolution Beyond Banking Trojan


Security researchers now frame TrickMo as a "managed foothold" platform rather than a traditional banking trojan. The combination of remote device control, network reconnaissance, traffic proxying, and modular architecture creates a flexible cybercrime platform capable of supporting multiple operational objectives. Instead of focusing on flashy new features, developers deliberately re-engineered the platform for stealth, resilience, and operator reach, prioritizing long-term persistence and control over immediate financial gain.


Sources


  • https://thehackernews.com/2026/05/new-trickmo-variant-uses-ton-c2-and.html

  • https://securityaffairs.com/192003/malware/android-banking-trojan-trickmo-evolves-using-ton-network-for-c2.html

  • https://x.com/shah_sheikh/status/2053857064737526015/photo/1

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page