TrickMo Android Banking Trojan Adopts TON Blockchain for C2 and Network Pivoting

TL;DR ThreatFabric observed a new variant of TrickMo between January and February 2026 that deploys The Open Network (TON) blockchain for command-and-control communications and adds SSH tunnelling and SOCKS5 proxy capabilities. The malware turns compromised Android devices into network pivots and traffic-exit nodes, targeting banking and cryptocurrency users in France, Italy, and Austria. This represents a significant escalation from traditional banking trojan behavior toward infrastructure abuse.

What happened

TrickMo, a device takeover (DTO) malware active since late 2019, has evolved significantly. Originally flagged by CERT-Bund and IBM X-Force for abusing Android accessibility services to hijack one-time passwords (OTPs), the malware has now adopted architectural changes that blur the line between banking trojan and network intrusion tool.

The variant observed by ThreatFabric between January and February 2026, designated TrickMo C, uses a two-stage delivery mechanism: dropper apps masquerading as adult-friendly TikTok variants distributed via Facebook serve as the initial payload. These droppers (package names: com.app16330.core20461 or com.app15318.core1173) retrieve a runtime-loaded APK module (dex.module) from attacker infrastructure at process start. The actual malware module masquerades as Google Play Services under package names uncle.collop416.wifekin78 or nibong.lida531.butler836.

The architectural shift centers on C2 communication. Rather than traditional DNS and direct internet routes, TrickMo now carries an embedded native TON proxy that starts on a loopback port during process initialization. All HTTP command-and-control requests route through this proxy to .adnl hostnames resolved via the TON overlay network. This approach embeds malicious traffic within legitimate TON blockchain activity, complicating both takedown and network-blocking efforts.

Beyond OTP hijacking, the new dex.module implements a network-operative subsystem supporting reconnaissance commands: curl, dnslookup, ping, telnet, and traceroute. These commands execute from the victim's network position, granting attackers visibility into both home and corporate networks the compromised device associates with. The malware also implements SSH tunnelling and an authenticated SOCKS5 proxy, converting infected Android devices into traffic-exit nodes that originate connections from the victim's own network environment.

The source does not specify the number of devices infected or the scale of compromise in the three targeted countries.

TrickMo retains legacy capabilities including keystroke logging, screen recording, SMS interception, live screen streaming, and credential phishing. The researchers also identified two dormant features: a bundled Pine hooking framework and NFC-related permission declarations. Neither feature is currently implemented, suggesting the developers are reserving these for future deployment.

Why it matters

This evolution changes the threat profile for defenders and organizations in the MENA region and beyond. TrickMo transitions from a banking-focused credential stealer to a general-purpose network intrusion platform. Compromised phones become legitimate members of corporate and home networks, bypassing perimeter controls and IP-based fraud detection at banking, e-commerce, and cryptocurrency exchange services.

For SOC analysts, this means infected devices can serve as persistent pivots for lateral movement into internal networks. A user's phone compromised by TrickMo creates a trusted network endpoint from which an attacker can conduct reconnaissance, exfiltrate data, or establish deeper persistence. The SOCKS5 proxy capability allows attackers to route malicious traffic through the victim's IP address, defeating fraud-detection systems that rely on geolocation or IP reputation scoring.

For developers and system administrators, the key risk is supply-chain exposure: dropper apps remain distributed through social media, and the phasing websites hosting them are part of an active campaign. Organizations cannot assume that employee personal devices—even those outside corporate MDM—are isolated from business risk, especially when employees access banking or cryptocurrency services on the same device.

The use of TON for C2 is noteworthy from a defensive standpoint. Blocking TON overlay traffic at the network level requires blocking the entire decentralized network, not just specific C2 domains. Traditional DNS sinkholing and IP-based takedowns become ineffective.

Affected systems and CVEs

Android OS (all versions capable of running the malware)
Banking applications and cryptocurrency wallet applications on Android
Corporate and home networks accessed by compromised Android devices

No CVE assigned at the time of publication.

What to do

The source article does not provide explicit mitigation recommendations. However, defenders should consider:

Monitor for the specified package names (com.app16330.core20461, com.app15318.core1173, uncle.collop416.wifekin78, nibong.lida531.butler836) on employee and personal devices with access to sensitive systems.
Block or restrict distribution of dropper apps masquerading as TikTok variants on corporate networks.
Deploy endpoint detection and response (EDR) tools on Android devices that can detect accessibility service abuse and unusual network proxy configurations.
Educate users in targeted regions (France, Italy, Austria) about downloading apps only from official app stores, not through social media links.
Review network logs for outbound connections to .adnl hostnames and unusual SOCKS5 proxy activity originating from mobile devices.

Open questions

How many devices or users have been infected by this variant.
The geographic extent and severity of compromise in France, Italy, and Austria beyond the observation window.
Whether the dormant Pine hooking framework and NFC permissions will be activated in future variants, and on what timeline.
The specific .adnl hostnames and TON infrastructure used for C2 communications.
Attribution: who operates TrickMo and their broader campaign objectives.
Whether variants targeting other regions or banking sectors exist but remain undetected.