A new version of the Android Trojan TrickMo has received support for the TON blockchain to secretly communicate with attack operators. The malware disguises itself as TikTok and streaming apps and attacks bank and crypto wallet users in Europe.
Android banker TrickMo has received a major new update and has started using the TON blockchain to covertly communicate with its infrastructure. Researchers say the new malware variant is already actively attacking users in several European countries and has become much more difficult to detect and block.
TrickMo was first spotted back in 2019, and the Trojan has been evolving ever since. In 2024 alone, Zimperium analysts discovered over 40 variants of the malware operating through 22 separate C2 infrastructures and spreading via 16 different droppers.
The latest version, which ThreatFabric tracks as Trickmo.C, has been observed by researchers since January of this year. According to them, the malware disguises itself as TikTok or streaming apps and targets users in France, Italy, and Austria. The main target of the attacks is banking and cryptocurrency wallets.
The main change was the transition to the TON infrastructure. For command and control communication, the Trojan uses .ADNL addresses and a local TON proxy that runs directly on the infected smartphone.
TON works as a decentralized peer-to-peer network connected to the Telegram ecosystem. Instead of regular domains, it uses 256-bit identifiers that hide the real IP addresses of servers and communication ports. This makes it much more difficult to find or disable the operator infrastructure.
ThreatFabric explains that classic takedown operations practically do not work here.
“Traditional methods of removing domains are largely ineffective, since the operator endpoints do not depend on the public DNS hierarchy, but instead exist as TON .adnl identifiers that resolve within the overlay network itself.”
The researchers also note that the network traffic looks like regular TON traffic and is virtually indistinguishable from legitimate activity from other TON-enabled applications.
TrickMo architecture remains two-stage. The first APK file works as a loader and provides persistence, and the second module is loaded during operation and is responsible for the attack functionality.
Malware steals banking data through phishing overlay windows, records keystrokes, intercepts SMS, hides OTP notifications, changes the clipboard, records the screen, takes screenshots and even supports live broadcast of the infected device’s screen.
The new variant also has additional network capabilities:
curl
dnsLookup
ping
telnet
traceroute
SSH tunneling
local and remote port forwarding
SOCKS5 proxy with authentication
Separately, analysts discovered the Pine runtime hooking framework, which was previously used to intercept network operations and Firebase functions. However, it is currently inactive, since hooks are not yet installed.
TrickMo also requests extended NFC permissions and collects information about the device’s NFC capabilities, although active NFC functionality has not yet been found in the current version.
Experts advise Android users to install applications only through Google Play, avoid unnecessary APK files from third-party sources, use applications only from trusted developers, and do not disable Play Protect.
