Researchers at ThreatFabric have identified a new variant of the Android trojan TrickMo, which uses the decentralized network The Open Network (TON) to control infected devices. The variant, designated TrickMo C, was observed in January–February 2026 and, according to the researchers, targets users of banking apps and cryptocurrency wallets in France, Italy, and Austria. The fundamental difference from previous versions is its transformation from a classic banking trojan into a tool for building controllable network footholds: infected devices are turned into proxy nodes and traffic exit points.

Architectural shift: TON as a control channel

TrickMo is a family of Device Takeover (DTO) malware active since late 2019. The trojan abuses Android Accessibility Services to intercept one-time passwords, steal credentials, record the screen, intercept SMS messages, and provide full remote control of the device.

The key innovation in the TrickMo C variant is the move to the decentralized TON blockchain for command-and-control (C2) communications. According to ThreatFabric, the malware contains an embedded native TON proxy, which is launched on a local loopback port when the process starts. The trojan’s HTTP client routes all outgoing C2 requests through this proxy, contacting hosts in the .adnl zone, which are resolved via the TON overlay network.

This architecture, the researchers note, reduces the effectiveness of traditional infrastructure blocking and takedown methods, as the traffic is blended with legitimate activity on the TON network. Unlike standard C2 servers hosted on public domains or IP addresses, .adnl endpoints cannot be blocked via DNS filtering or domain seizures.

New networking capabilities

Previous TrickMo versions used a dynamically loaded module called dex.module to implement remote control over a socket.io-based channel. The updated variant keeps this module but augments it with a networking subsystem that introduces fundamentally different capabilities:

• Network reconnaissance — support for curl, dnslookup, ping, telnet, and traceroute commands, giving the attacker the equivalent of a remote shell to explore the victim’s network, including internal corporate and home networks
• SSH tunneling — the ability to create encrypted tunnels through the infected device
• Authenticated SOCKS5 proxy — turning the compromised smartphone into a traffic egress node through which attackers can route malicious requests

The SOCKS5 proxy feature deserves particular attention. When fraudulent transactions or account login attempts are carried out through the victim’s own IP address, fraud detection systems that rely on IP analysis lose effectiveness. To a bank or cryptocurrency exchange, the request appears to originate from the user’s normal network.

Distribution and masquerading

TrickMo C is distributed via phishing sites and dropper apps. According to ThreatFabric, the droppers masquerade as “adult” versions of TikTok, while the trojan itself impersonates Google Play Services. The identified package names are:

• Droppers: com.app16330.core20461, com.app15318.core1173
• Trojan: uncle.collop416.wifekin78, nibong.lida531.butler836

A dropper sample is available on VirusTotal (SHA-256: 01889a9ec2abecb73e5e8792be68a4e3bc7dcbe1c3f19ac06763682d63aa8c21).

Inactive modules: a signal of future development

The researchers found two inactive components in the code: integration with the Pine interception framework and declared extended NFC permissions. Neither is functionally implemented yet. This may indicate that the developers plan to expand the trojan’s capabilities — in particular, the potential interception of NFC transactions to attack contactless payments. However, this is only an analytical assumption, not a confirmed fact.

Impact assessment

The evolution of TrickMo reflects a trend in which mobile banking trojans go beyond credential theft and become tools for building network infrastructure. A compromised device on a corporate Wi‑Fi network turns into an entry point for reconnaissance of internal infrastructure. A device on a home network becomes an anonymizing proxy for fraudulent operations.

The highest risk is posed to:

• Android users in France, Italy, and Austria who use banking apps and cryptocurrency wallets
• Organizations that allow personal mobile devices to connect to corporate networks (BYOD)
• Cryptocurrency exchanges and payment services that rely on IP reputation as a fraud detection factor

Security recommendations

• Install apps only from official sources — Google Play Store. Do not download APK files from third-party sites, especially those offering “modified” versions of popular apps
• Review permissions — if an app posing as Google Play Services requests access to Accessibility Services, this is a sign of compromise
• Monitor network traffic — anomalous outbound traffic to .adnl endpoints or unusual TON protocol activity on mobile devices should be treated as an indicator of infection
• Network segmentation — isolate mobile devices from critical segments of corporate infrastructure. BYOD policies should account for the risk of a device being used as a network foothold
• Multi-factor authentication — use hardware tokens or authenticator apps instead of SMS codes, which TrickMo is capable of intercepting
• Check IOCs — compare the hashes and package names listed above against MDM system logs and endpoint protection tools

TrickMo’s move to blockchain infrastructure for C2 communications and the transformation of infected devices into network proxies represents a qualitative increase in threat complexity that requires a rethink of detection approaches. Organizations that allow mobile devices onto corporate networks should immediately check for the indicators of compromise mentioned above and ensure that segmentation policies prevent a smartphone from being used as an entry point for reconnaissance of internal infrastructure.