Close Menu
Most Read

New TrickMo Variant Uses TON C2, SOCKS5 for Android Pivoting

Staff WriterBy No Comments3 Mins Read1 Views

Fast Facts

  1. The new TrickMo Android banking trojan uses decentralized TON blockchain for covert command-and-control, evading traditional detection.
  2. It incorporates advanced network capabilities like SSH tunneling and SOCKS5 proxying, turning infected devices into stealthy traffic-exit nodes.
  3. TrickMo exploits Android accessibility features to hijack OTPs, coupled with reconnaissance tools for deep network infiltration and remote control.

Threat Overview, Attack Techniques, and Targets

Cybersecurity researchers have identified a new version of the TrickMo Android banking trojan. This malware now uses The Open Network (TON) for command-and-control (C2) communications. It was observed between January and February 2026. The malware mainly targets users of banking and cryptocurrency wallets. Its primary targets are people in France, Italy, and Austria.

The TrickMo variant, called TrickMo C, relies on a runtime-loaded APK named “dex.module.” This APK is used to add new features like reconnaissance, SSH tunneling, and SOCKS5 proxying. These features help infected devices act as network pivots and exit nodes. The malware also uses dropper apps that pretend to be adult TikTok versions. These apps hide the actual malware, which impersonates Google Play Services.

TrickMo is an advanced device takeover malware. It can hijack Android’s accessibility services to steal OTPs. The malware can also phish for credentials, log keystrokes, record screens, stream live screens, and intercept SMS messages. Infections happen through dropper apps that download the malicious APK from attacker-controlled servers. The new version particularly communicates with C2 servers through TON’s blockchain, making detection harder.

Impact, Security Implications, and Remediation Guidance

The new TrickMo variant can cause severe security issues. By turning infected devices into network pivots and traffic exits, attackers can hide their malicious activity. This setup can bypass traditional security checks and IP-based fraud detection. The malware’s ability to perform reconnaissance and control internal networks makes it especially dangerous.

Because the malware hides its C2 traffic using TON’s blockchain, it becomes harder to detect and block. Infected devices might be used for attacks on financial institutions or cryptocurrency platforms. This could lead to financial theft, data breaches, and increased cybercrime.

If your organization suspects infection, it is important to follow guidance from your security vendor or relevant authority. Specific remediation steps are not provided here. Therefore, it is recommended to seek advice from cybersecurity experts or trusted sources for proper response actions.

Continue Your Tech Journey

Learn how the Internet of Things (IoT) is transforming everyday life.

Stay inspired by the vast knowledge available on Wikipedia.

ThreatIntel-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.