TrickMo Android Trojan Leverages TON for C2 and SOCKS5 Pivots

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerabilitymalware
TrickMo Android Trojan Leverages TON for C2 and SOCKS5 Pivots

A new variant of the TrickMo Android banking trojan has emerged, actively exploiting The Open Network (TON) for its command-and-control (C2) infrastructure. According to The Hacker News, citing observations by ThreatFabric between January and February 2026, this advanced version also utilizes SOCKS5 proxies to establish network pivots, enhancing its stealth and resilience.

This updated TrickMo variant is specifically targeting users of banking and cryptocurrency applications across France, Italy, and Austria. The Hacker News notes that the trojan’s operational sophistication is elevated by its reliance on a runtime-loaded APK module (dex.module), a technique that complicates detection and analysis. This approach allows the malware to dynamically load malicious components, adapting its attack surface post-infection.

The use of TON for C2 is a significant shift, providing attackers with a decentralized and encrypted communication channel that is inherently more resistant to traditional takedowns and surveillance. Coupled with SOCKS5 for network pivoting, this variant presents a formidable threat, enabling attackers to route traffic through compromised devices and evade direct attribution. It’s a clear move to harden infrastructure against law enforcement and security industry efforts.

What This Means For You

  • If your organization's employees use personal devices for work (BYOD) or access corporate resources, this TrickMo variant poses a direct risk. Advise users in France, Italy, and Austria, especially those with banking or crypto apps, to scrutinize app permissions and avoid sideloading. Implement robust mobile device management (MDM) policies and consider app attestation to prevent the installation of untrusted applications.

Related ATT&CK Techniques

T1071.004 Application Layer Protocol: DNS Command and Control T1572 Protocol Tunneling Command and Control T1095 Non-Application Layer Protocol Command and Control

Indicators of Compromise

IDTypeIndicator
TrickMo-TON-C2 Information Disclosure TrickMo Android banking trojan
TrickMo-TON-C2 Misconfiguration The Open Network (TON) for command-and-control (C2)
TrickMo-TON-C2 Code Injection runtime-loaded APK (dex.module)

Written by SCW Vulnerability Desk

Take action on this incident
πŸ“‘ Monitor threatfabric.com Free Β· 1 watchlist slot Β· instant alerts on new breaches πŸ” Threat intel on ThreatFabric All breaches, IOCs & vendor exposure

Related coverage on ThreatFabric

West Pharmaceutical Services Hit by Disruptive Ransomware Attack

West Pharmaceutical Services has confirmed a significant ransomware attack. Attackers successfully exfiltrated data before deploying file-encrypting ransomware, forcing the company to take systems offline globally....

threat-intelvulnerabilitymalwareransomware
/SCW Vulnerability Desk /MEDIUM /⚙ 3 Sigma

Unanswered SOC Alerts: WAF, DLP, OT/IoT Signals Left Uninvestigated

Security operations teams are drowning in alerts, but the critical issue isn't always volume; it's the blind spots. The most dangerous alerts are those consistently...

threat-intelvulnerability
/SCW Vulnerability Desk /MEDIUM

Shai Hulud Malware Compromises TanStack, Mistral npm Packages in Supply Chain Attack

A significant software supply-chain attack, leveraging the "Shai-Hulud" malware, has compromised hundreds of open-source packages. BleepingComputer reports that this attack specifically targeted and signed malicious...

threat-inteldata-breachmalware
/SCW Research /HIGH /⚙ 2 Sigma