.jpg) The **TrickMo** Android banking trojan, initially discovered in September 2019, continues to evolve with sophisticated techniques. The latest iteration, dubbed 'Trickmo.C' by **ThreatFabric**, employs the **TON** blockchain to conceal its C2 infrastructure, making it harder to detect and neutralize. ### TON Integration for Enhanced Stealth The key innovation in this **TrickMo** variant is its use of **TON** for C2 communications. **TON** is a decentralized peer-to-peer network, originally associated with **Telegram**, that provides encrypted communication channels. By utilizing .ADNL addresses routed through a local **TON** proxy on infected devices, **TrickMo** obscures its communication endpoints. This approach offers significant advantages for malware operators: * **Evasion of Traditional Takedowns:** Unlike traditional domain-based C2 servers, **TON** addresses are not reliant on the public DNS hierarchy. * **Encrypted Communications:** Network traffic appears as generic **TON** traffic, indistinguishable from legitimate **TON**-enabled applications. According to **ThreatFabric**, "Traditional domain takedowns are largely ineffective because the operator’s endpoints do not rely on the public DNS hierarchy and instead exist as TON .adnl identities resolved inside the overlay network itself. Traffic-pattern detection at the network edge sees only TON traffic, which is encrypted and indistinguishable from any other TON-enabled application's outbound flow."  **TrickMo operational architecture** *Source: ThreatFabric* ### TrickMo's Capabilities **TrickMo** maintains a modular design, consisting of a loader APK and a dynamically downloaded module containing the malicious functionality. This malware is known for: * Phishing overlays to steal banking credentials * Keylogging and screen recording * SMS interception and OTP suppression * Clipboard modification * Notification filtering * Screenshot capturing The newest variant introduces the following new commands: * `curl` * `dnsLookup` * `ping` * `telnet` * `traceroute` * SSH tunneling * Remote and local port forwarding * Authenticated SOCKS5 proxy support Researchers also observed the **Pine** runtime hooking framework, previously used to intercept networking and Firebase operations, but it's currently inactive. ### Mitigation Recommendations To protect against **TrickMo** and similar Android malware, users should: * Only download apps from the **Google Play** Store. * Limit the number of installed apps. * Use apps only from reputable publishers. * Ensure **Google Play Protect** is enabled. <div> ## [99% of What Mythos Found Is Still Unpatched.](https://hubs.li/Q04crVgD0) AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. [Claim Your Spot](https://hubs.li/Q04crVgD0) </div>