{"id":7117,"date":"2026-05-12T14:17:56","date_gmt":"2026-05-12T14:17:56","guid":{"rendered":"https:\/\/delimiter.online\/blog\/trickmo-android-trojan\/"},"modified":"2026-05-12T14:17:56","modified_gmt":"2026-05-12T14:17:56","slug":"trickmo-android-trojan","status":"publish","type":"post","link":"https:\/\/delimiter.online\/blog\/trickmo-android-trojan\/","title":{"rendered":"TrickMo Android Trojan Uses TON Network for New Attack Method"},"content":{"rendered":"<p>Cybersecurity researchers have identified a new variant of the TrickMo Android banking trojan that leverages The Open Network (TON) for command-and-control (C2) communications. The malware also utilizes SOCKS5 proxies to create network pivots within infected Android devices.<\/p>\n<p>ThreatFabric, the security firm tracking the threat, observed the new variant between January and February 2026. The campaign is actively targeting users of banking and cryptocurrency wallet applications in France, Italy, and Austria.<\/p>\n<p>The new variant represents a significant evolution in TrickMo\u2019s operational capabilities. According to researchers, the malware now relies on a runtime loaded APK component, specifically a dex.module file, to execute its malicious payload.<\/p>\n<p>This technical shift allows the trojan to avoid initial detection by app store security checks and traditional antivirus software. The dex.module is loaded dynamically at runtime, meaning the malicious code is not present in the application\u2019s static file signature.<\/p>\n<p>The use of The Open Network for C2 communications is particularly notable. TON is a blockchain based decentralized network originally developed by the Telegram team. By using TON, the malware operators can obscure their command infrastructure, making it more difficult for law enforcement and security researchers to take down the control servers.<\/p>\n<p>ThreatFabric also reported that the new TrickMo variant integrates <a href=\"https:\/\/delimiter.online\/blog\/systembc-ransomware\/\" title=\"SOCKS5 proxy\">SOCKS5 proxy<\/a> functionality. This allows compromised Android devices to function as network pivots. Attackers can route malicious traffic through an infected phone, effectively hiding their true location while maintaining control over the botnet.<\/p>\n<h2>Exploiting Accessibility Services<\/h2>\n<p>The malware continues to rely on Android\u2019s accessibility services, a common technique among banking trojans. Once granted these permissions, TrickMo can intercept two factor authentication codes, capture on screen text, and even perform automated clicks to complete fraudulent transactions.<\/p>\n<p>Researchers noted that the attackers are using social engineering tactics to trick victims into installing the malicious application. These lures often involve fake updates for popular applications or promises of financial rewards.<\/p>\n<p>The geographic focus on France, Italy, and Austria suggests a targeted campaign, though security experts warn that similar attacks could expand to other regions quickly. The modular nature of the malware allows operators to swap out target applications or C2 infrastructure with relative ease.<\/p>\n<h2>Implications for Android Security<\/h2>\n<p>The adoption of TON and SOCKS5 proxies marks a shift toward more resilient and harder to trace command infrastructures. Traditional takedown methods that rely on seizing centralized servers may prove less effective against this approach.<\/p>\n<p>Security professionals recommend that Android users only install applications from the Google Play Store, carefully review requested permissions, and avoid granting accessibility access to any application that does not require it for legitimate use.<\/p>\n<h2>Recommended Mitigations<\/h2>\n<p>For organizations, implementing mobile threat defense solutions can help detect the presence of runtime loaded payloads. Network monitoring should also look for unusual traffic patterns, especially SOCKS5 proxy usage on mobile devices.<\/p>\n<p>Users in the affected regions should be particularly cautious about unsolicited messages urging them to install or update financial applications. Banks and cryptocurrency services in France, Italy, and Austria have likely been alerted to the threat.<\/p>\n<p>The development of this variant underscores the ongoing arms race between cybercriminals and security researchers. As detection methods improve, attackers continue to adopt more sophisticated technologies to maintain their operations.<\/p>\n<p>Going forward, ThreatFabric expects the operators behind TrickMo to continue refining their techniques. The use of decentralized networks like TON may become a more common feature in mobile malware toolkits, potentially complicating future takedown efforts.<\/p>\n<p>Source: ThreatFabric<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity researchers have identified a new variant of the TrickMo Android banking trojan that leverages The Open Network (TON) for command-and-control (C2) communications. The malware also utilizes SOCKS5 proxies to create network pivots within infected Android devices. ThreatFabric, the security firm tracking the threat, observed the new variant between January and February 2026. The campaign [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":7118,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[505],"tags":[8354,4534,6414,8355,8353],"class_list":["post-7117","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-android-trojan","tag-banking-malware","tag-socks5-proxy","tag-ton-network","tag-trickmo"],"_links":{"self":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts\/7117","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/comments?post=7117"}],"version-history":[{"count":0,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts\/7117\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/media\/7118"}],"wp:attachment":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/media?parent=7117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/categories?post=7117"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/tags?post=7117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}