TrickMo Android Banker Evolves with TON Blockchain C2

May 12, 2026 Faeem BLOGS 0

Overview A new variant of the TrickMo Android banking malware, tracked as TrickMo.C, has been discovered by ThreatFabric. Active since 2019, TrickMo continues to evolve — this time adopting The Open Network (TON) blockchain for covert command‑and‑control (C2) communications, making takedowns and detection far more difficult.

Key Innovations

  • TON‑based C2:
    • Uses .adnl addresses routed through an embedded local TON proxy.
    • TON’s decentralized overlay network hides IPs and ports, bypassing DNS takedowns.
    • Traffic appears as ordinary encrypted TON flows, indistinguishable from legitimate apps.
  • New Commands Added:
    • curl, dnsLookup, ping, telnet, traceroute.
    • SSH tunneling, remote/local port forwarding.
    • Authenticated SOCKS5 proxy support.
  • Disguise & Delivery:
    • Masquerades as TikTok or streaming apps.
    • Targets banking and crypto wallet users in France, Italy, and Austria.

Capabilities

TrickMo remains a modular two‑stage malware:

  • Loader APK: Persistence and initial infection.
  • Runtime APK Module: Offensive functions including:
    • Phishing overlays for banking credentials.
    • Keylogging, screen recording, live streaming.
    • SMS interception, OTP suppression.
    • Clipboard modification, notification filtering.
    • Screenshot capturing.

Researchers also noted NFC permissions declared, though no active NFC functionality was found.

Why It Matters

  • Resilient Infrastructure: TON’s decentralized design makes traditional domain/IP blocking ineffective.
  • Expanded Toolset: New commands give operators more flexibility for reconnaissance and tunneling.
  • Financial Targeting: Focused on banking and crypto wallets, increasing risk of fraud and theft.

Defensive Guidance

  • Download Only from Google Play: Avoid sideloading APKs.
  • Limit Installed Apps: Reduce attack surface.
  • Use Trusted Publishers: Verify app legitimacy.
  • Enable Play Protect: Keep Google’s built‑in protections active.

Final Thought

TrickMo’s adoption of TON blockchain for C2 marks a significant leap in malware resilience. By blending into encrypted peer‑to‑peer traffic, it raises the bar for defenders. The lesson is clear: financial malware is evolving beyond DNS and IP defenses — detection must now focus on behavioral anomalies and app provenance.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.