Android Banking Trojan TrickMo Evolves: New Variant Leverages TON Blockchain for Stealthy C2 and SOCKS5 Proxy Pivots

Breaking: TrickMo Trojan Strikes Again with Blockchain-Powered Command & Control

A dangerous new variant of the TrickMo Android banking trojan has been discovered using The Open Network (TON) for command-and-control (C2) communications, along with SOCKS5 proxies to create network pivots, researchers confirmed today. The malware, identified by ThreatFabric between January and February 2026, is actively targeting users of banking and cryptocurrency wallet applications in France, Italy, and Austria.

“This is a significant evolution in malware communication tactics,” said Dr. Elena Marchetti, senior threat analyst at ThreatFabric. “By harnessing TON’s decentralized infrastructure, the attackers make C2 traffic far harder to block or takedown—traditional IP-based blocking is now ineffective.”

How the New TrickMo Variant Works

The updated TrickMo dropper loads a malicious dex.module at runtime—a technique designed to evade static detection. Once installed, the trojan establishes a SOCKS5 proxy on the compromised device, effectively turning it into a pivot node within a larger botnet. This allows the attackers to route traffic through infected devices, masking their true origin and enabling lateral movement inside corporate or home networks.

“What sets this apart is the use of TON for C2,” added Marchetti. “TON’s blockchain-based messaging allows for resilient, encrypted command channels that are nearly impossible to sinkhole.” The deployment of SOCKS5 further amplifies the threat, as it enables network-level pivoting without requiring root access.

Background: TrickMo’s Evolution

TrickMo first emerged in 2024 as a modular banking trojan targeting Android devices. Over time, it has incorporated overlay attacks, SMS interception, and credential harvesting. The latest iteration marks a notable shift toward advanced networking capabilities, moving from simple HTTP-based C2 to decentralized blockchain communication and proxy chaining.

ThreatFabric’s analysis indicates that the malware is distributed via malicious SMS phishing campaigns (smishing) that mimic official bank alerts. Once the user installs the fake app, TrickMo requests extensive permissions—including Accessibility Services—to perform its attacks. The new variant does not rely on any known exploit for initial compromise, relying instead on social engineering.

What This Means for Users and Organizations

For Android users in the affected regions, the immediate risk is financial theft. The trojan can overlay legitimate banking and crypto wallet apps, capturing login credentials and two-factor codes. More broadly, the use of SOCKS5 pivots means that a single compromised phone could become a gateway for attackers to pivot into corporate networks if the device is used for work purposes.

“Enterprises must treat compromised mobile devices as potential network entry points,” warned Marchetti. “Standard endpoint detection is often blind to SOCKS5 proxy traffic initiated from a phone. We recommend enforcing strict app installation policies and monitoring for unusual outbound proxy connections.” Security teams should also watch for TON blockchain communications, which may appear as benign HTTPS traffic to TON-related domains.

Additionally, the decentralized C2 infrastructure poses challenges for law enforcement. Traditional takedown methods that rely on seizing servers will not work. The research community is exploring blockchain analysis techniques to map and disrupt TON-based C2 infrastructure, but no widespread mitigation exists yet.

Recommended Actions

• For individuals: Avoid installing apps from unknown sources; verify SMS messages from banks through official channels; review app permissions regularly.
• For organizations: Deploy mobile threat defense solutions capable of detecting proxy activity; block known TON communication endpoints; implement network segmentation for mobile devices.
• For researchers: Share indicators of compromise (IOCs) related to TON C2 domains and SOCKS5 proxy ports.

As of February 2026, ThreatFabric has observed over 1,200 unique infections across the three target countries. The campaign shows no signs of slowing down. This is a developing story—updates expected.