TrickMo Banking Trojan Moves C2 to Telegram's TON Blockchain

TrickMo has adopted blockchain for command-and-control communications, routing traffic through The Open Network (TON) to evade traditional takedown efforts. The new variant—identified by ThreatFabric as TrickMo.C—has been active since January 2026, targeting banking and cryptocurrency users across France, Italy, and Austria.

This evolution makes TrickMo significantly harder to disrupt. Traditional domain seizures are ineffective against decentralized infrastructure, and the malware's new network tunneling capabilities transform infected devices into programmable pivot points for attackers.

TL;DR

• What happened: TrickMo Android banking trojan now uses TON blockchain for C2 communications
• Who's affected: Banking and crypto wallet users in France, Italy, and Austria
• Severity: High - adds SSH tunneling, SOCKS5 proxy, and network reconnaissance capabilities
• Action required: Only install apps from Google Play, keep Play Protect enabled, verify app publishers

What is TrickMo?

TrickMo first emerged in 2019 as a banking trojan targeting German users. It evolved from basic SMS interception to become a full device takeover platform capable of stealing credentials through overlay attacks, recording screens, and bypassing two-factor authentication by intercepting OTPs.

The malware has historically spread through phishing campaigns and fake app stores. Once installed, TrickMo requests accessibility permissions that give it broad control over the device—including the ability to read screen content, perform gestures, and intercept notifications.

Why TON Changes Everything

Previous TrickMo variants relied on traditional domain-based infrastructure for C2 communications. Law enforcement and security vendors could identify these domains and work with registrars to seize them, disrupting the botnet's operation.

The TON-based variant uses .adnl addresses—identities that exist within the decentralized overlay network rather than the public DNS hierarchy. As BleepingComputer reports, "traditional domain takedowns are largely ineffective because the operator's endpoints do not rely on the public DNS hierarchy."

The malware runs an embedded local TON proxy on infected devices, routing C2 traffic through the overlay network. This makes the infrastructure:

• Resistant to takedowns: No domains to seize
• Difficult to fingerprint: Traffic blends with legitimate TON activity
• Globally distributed: Relies on decentralized infrastructure

ThreatFabric emphasized that TON itself is a legitimate platform originally built for Telegram. The abuse is entirely on TrickMo's operators, not the network's developers.

New Capabilities in TrickMo.C

Beyond the C2 changes, the latest variant adds network-oriented functionality that expands what attackers can do with infected devices:

Capability	Function
Network Reconnaissance	curl, dnsLookup, ping, telnet, traceroute
SSH Tunneling	Encrypted tunnels from infected devices
Port Forwarding	Remote and local port forwarding
SOCKS5 Proxy	Authenticated proxy capability

These features transform infected phones into network pivot points. Attackers can use compromised devices as exit nodes for other malicious traffic, or tunnel into corporate networks when employees connect to work systems from their phones.

Original Capabilities Retained

The core banking trojan functionality remains intact:

• Phishing overlays: Fake login screens for 500+ banking and crypto apps
• Keylogging: Records all user input
• Screen recording: Captures video of sensitive activities
• SMS interception: Steals one-time passwords
• Clipboard modification: Can alter copied wallet addresses
• Accessibility abuse: Performs actions without user interaction

For organizations concerned about mobile threats, our malware defense guide covers detection and prevention strategies.

Distribution and Targeting

ThreatFabric tracked this variant between January and February 2026 in active campaigns against users in France, Italy, and Austria. The malware disguises itself as:

• TikTok applications
• Streaming service apps
• Other popular media applications

None of these fake apps appear on Google Play. Distribution relies on third-party app stores, direct APK downloads, and phishing messages directing users to sideload the malware.

The geographic targeting—Western European financial centers—suggests operators focused on accounts with significant balances. This pattern aligns with other banking trojans we've covered in recent malware campaigns.

Protection Recommendations

1. Install only from Google Play - Avoid third-party stores and direct APK downloads

2. Keep Play Protect enabled - Google's built-in malware scanner catches many variants

3. Verify app publishers - Check developer names and review counts before installing

4. Limit app permissions - Question why any app needs accessibility services

5. Monitor bank accounts - Enable transaction alerts for unusual activity

6. Use hardware security keys - When available, prefer FIDO2 over SMS 2FA

Why This Matters

TrickMo's move to blockchain infrastructure signals a broader trend. If decentralized C2 proves effective at evading takedowns, other malware families will follow. We've already seen similar evolution in desktop malware and ransomware operations.

The added network tunneling capabilities also expand the blast radius. A compromised employee phone is no longer just a credential theft risk—it becomes potential infrastructure for lateral movement into corporate networks.

Mobile banking trojans have historically been underestimated by enterprise security teams focused on endpoint protection for laptops and desktops. TrickMo.C demonstrates that mobile threats deserve equal attention.

Frequently Asked Questions

Can TrickMo steal cryptocurrency? Yes. The malware targets cryptocurrency wallet apps and can modify clipboard contents to replace legitimate wallet addresses with attacker-controlled addresses. Always verify recipient addresses before confirming transactions.

Does this affect iOS devices? No. TrickMo is an Android-specific malware family. The techniques it uses—overlay attacks, accessibility abuse, APK sideloading—don't have iOS equivalents.

How do I check if my device is infected? Review installed apps for unfamiliar entries, especially those requesting accessibility permissions. Check Settings > Accessibility for services you don't recognize. Google Play Protect can also scan for known variants.