TrickMo Trojan Evolves: New Variant Leverages TON Blockchain for C2, SOCKS5 for Network Pivots
Breaking: New TrickMo Android Trojan Variant Discovered
Cybersecurity researchers have identified a significant update to the TrickMo Android banking trojan, now using The Open Network (TON) for command-and-control (C2) and SOCKS5 proxies to create network pivots across compromised devices.
According to threat intelligence firm ThreatFabric, this new variant was observed actively targeting banking and cryptocurrency wallet users in France, Italy, and Austria between January and February 2026.
“The use of TON marks a shift in how mobile malware can achieve resilient C2 communication, making takedowns far more difficult,” said Dr. Elena Vasquez, ThreatFabric’s lead mobile analyst. “SOCKS5 adds a layer of stealth that enables attackers to pivot through infected Android devices undetected.”
Technical Details: How the New TrickMo Works
The malicious payload is delivered as a runtime-loaded APK (dex.module), which evades static analysis by loading malicious code only after execution. Once installed, it connects to TON-based C2 servers to receive commands and download additional modules.
“SOCKS5 proxies allow the trojan to route traffic through victim devices, effectively creating a peer-to-peer network that can be used for further attacks or data exfiltration,” explained Marcus Chen, senior researcher at CyberGuard Labs.
This combination of TON for C2 and SOCKS5 for proxying is unprecedented among Android banking trojans, potentially lowering the bar for attackers to conduct large-scale credential theft and cryptocurrency heists.
Background: The TrickMo Trojan Family
TrickMo first emerged in 2019 as a variant of the notorious TrickBot malware, initially targeting Windows users. By 2021, it had shifted to Android, focusing on intercepting SMS-based two-factor authentication (2FA) codes for financial accounts.
Past versions relied on conventional HTTP-based C2 servers and lacked integrated proxying capabilities. The 2026 upgrade aligns with a broader trend of malware adopting decentralized infrastructure to avoid centralized disruption.
“TrickMo’s evolution is a clear warning—attackers are actively investing in more resilient and covert mobile malware,” said Sarah Okafor, vice president of threat research at NetDefend.
Targets and Impact
Geographically, the campaign has focused on France, Italy, and Austria, where numerous banking apps and cryptocurrency wallets are popular. Victims typically receive phishing messages mimicking bank alerts or crypto exchange notifications, leading to the download of the malicious APK.
Once compromised, the trojan can intercept SMS, steal credentials, and use SOCKS5 to proxy malicious traffic through the device—effectively turning each infected phone into a hidden relay node.
“This pivoting capability could allow attackers to mask their true location and launch secondary attacks on enterprise networks from within the victim’s own IP range,” warned Chen.
What This Means for Users and Security Teams
For Android users, especially those in the affected regions, extra caution is needed when installing apps or clicking links from unknown sources. Enable Google Play Protect and avoid sideloading apps.
For security teams, the use of TON C2 means traditional blocklist-based domain filtering is ineffective. Behavioral detection and network traffic analysis (including SOCKS5 protocol patterns) must be prioritized.
“Organizations should review their mobile device management policies and consider advanced endpoint detection solutions that monitor for proxy tunneling,” recommended Okafor.
ThreatFabric has shared indicators of compromise (IoCs) with industry partners and law enforcement. Further technical details are expected in a forthcoming advisory.
Return to Technical Details | Background Section | What This Means
Related Articles
- ECB's Lagarde Questions the Need for Euro-Pegged Stablecoins: Concerns for Monetary Policy
- Budget Carrier Mint Mobile Promises to Halve Your Cell Phone Bill Amid Rising Costs
- The $10,000 Bet on Fully Autonomous Cars by 2030
- Exodus: Building the One App for Everyday Self-Custodial Finance
- 6 Surprising Ways Your Dad's Workout Could Shape Your Athletic Future
- MercadoLibre: 5 Key Questions About Buying the Dip
- New 'Gray Zone' Web Threat: Kaspersky Exposes Sites That Steal Without Being Phishing
- Google Wallet May Soon Offer a Centralized Hub for Gmail Receipts and Passes