TrickMo Android banker adopts TON blockchain for covert comms

by · BleepingComputer

A new variant of the TrickMo Android banking malware, delivered in campaigns targeting users across Europe, introduces new commands and uses The Open Network (TON) for stealthy command-and-control communications.

The TrickMo banker was first spotted in September 2019 and has remained in active development, constantly receiving updates since then.

In October 2024, Zimperium analyzed 40 variants of the malware delivered via 16 droppers, communicating with 22 distinct command-and-control (C2) infrastructures, and targeting sensitive data belonging to users worldwide.

The latest variant was discovered by ThreatFabric, which tracks it as 'Trickmo.C'. The researchers have been observing this version since January.

In a report today, ThreatFabric says that the malware is disguised as TikTok or streaming apps and targets banking and cryptocurrency wallets of users in France, Italy, and Austria.

The key new feature in the current variant is the TON-based communication with the operator, which uses .ADNL addresses routed through an embedded local TON proxy running on the infected device.

TON is a decentralized peer-to-peer network originally developed around the Telegram ecosystem that allows devices to communicate with the web via an encrypted overlay network rather than publicly exposed internet servers.

TON uses a 256-bit identifier instead of a normal domain, which hides the IP address and communication port, thus making the real server infrastructure more difficult to identify, block, or take down.

“Traditional domain takedowns are largely ineffective because the operator’s endpoints do not rely on the public DNS hierarchy and instead exist as TON .adnl identities resolved inside the overlay network itself,” explains ThreatFabric.

“Traffic-pattern detection at the network edge sees only TON traffic, which is encrypted and indistinguishable from any other TON-enabled application's outbound flow.”

TrickMo operational architecture
Source: ThreatFabric

TrickMo’s capabilities

TrickMo is a modular malware with a two-stage design: a host APK that serves as the loader and persistence layer, and a runtime-downloaded APK module that implements the offensive functionality.

The malware targets banking credentials via phishing overlays, performs keylogging, screen recording, and live screen streaming, SMS interception, OTP notification suppression, clipboard modification, notification filtering, and screenshot capturing.

ThreatFabric reports that the new variant adds the following commands and capabilities:

  • curl
  • dnsLookup
  • ping
  • telnet
  • traceroute
  • SSH tunneling
  • remote port forwarding
  • local port forwarding
  • authenticated SOCKS5 proxy support

The researchers have also spotted the Pine runtime hooking framework, previously used to intercept networking and Firebase operations, but it is currently inactive as there are no hooks installed.

TrickMo also declares extensive NFC permissions and reports NFC capabilities in telemetry, but the researchers did not find any active NFC functionality.

Android users are advised to only download software from Google Play, limit the number of installed apps on their phones, use apps only from reputable publishers, and ensure that Play Protect is active at all times.

99% of What Mythos Found Is Still Unpatched.

AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.

At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.

Claim Your Spot