New TrickMo Variant Uses TON C2 and SOCKS5 to Create Network Pivots for Android
Cybersecurity researchers have flagged a new version of the TrickMo An Android banking Trojan that uses Open Network (TON) for command and control (C2).
The new variant, detected by ThreatFabric between January and February 2026, appeared to be mainly focused on bank wallet and cryptocurrency users in France, Italy, and Austria.
“TrickMo relies on a runtime-loaded APK (dex.module), which is also used by previous variants, but updated with new features that add new network-focused functionality, including auditing, SSH tunneling, and SOCKS5 proxy capabilities that allow infected devices to act as programmable network pivots and shared traffic exit nodes with the Hacker security company.
TrickMo is the name given to a device takeover (DTO) malware that has been in the wild since late 2019. It was first flagged by CERT-Bund and IBM X-Force, describing its ability to abuse Android’s accessibility features to hijack one-time passwords (OTPs).
It is also equipped with a variety of features to track information, keystrokes, screen recording, screen live streaming, receiving SMS messages, basically giving the operator complete remote control of the device.
The latest versions, labeled TrickMo C, are distributed via classifieds websites and dropper apps, the latter of which act as a conduit for a dynamically loaded APK (“dex.module”) that is retrieved at runtime from an infrastructure controlled by the attacker. A notable change in architecture involves the use of the decentralized TON blockchain for C2’s stealth communications.
“TrickMo hosts an embedded TON proxy that the APK host starts on the loopback port at the beginning of the process,” ThreatFabric said. “The bot’s HTTP client is connected to that proxy, so each outgoing command-and-control request is addressed to the .adnl hostname and resolved through the TON overlay.”
Dropper apps that contain malware impersonate adult versions of TikTok, while the malware impersonates Google Play Services –
- com.app16330.core20461 or com.app15318.core1173 (Dropper)
- uncle.collop416.wifekin78 or nibong.lida531.butler836 (TrickMo)
While previous iterations of the “dex.module” used remote access driven via a socket.io-based channel, the new version uses a network-based subsystem that turns the malware into a controlled tool rather than a typical banking trojan.
The subsystem supports commands such as curl, dnslookup, ping, telnet, and traceroute, giving the attacker “a remote shell to obtain network information on the victim’s network environment, including any internal business network or home device that is currently associated with it,” according to ThreatFabric.
Another key feature is a SOCKS5 proxy that turns a compromised device into a network exit point that leads malicious traffic, while defeating signatures for IP-based fraud detection in banking, commerce and cryptocurrency services.
In addition, TrickMo includes two silent features that integrate the Pine hooking framework and announce extensive NFC-related permissions. And yet they are used. This may indicate that key developers want to expand on the trojan’s capabilities in the future.
“Instead of relying on traditional DNS and public Internet infrastructure, the malware communicates through .adnl endpoints that are routed through an embedded local TON proxy, which reduces the effectiveness of conventional takedown and network blocking efforts while making traffic intermingling with legitimate TON activity,” ThreatFabric said.
“This latest variant also expands the operational role of infected devices by using SSH tunneling and a SOCKS5 authenticated proxy, effectively turning compromised phones into programmable network pivots and traffic-dropping nodes whose connections originate in the victim’s network environment.”
