Cybersecurity researchers have identified a new version of the **TrickMo** Android banking trojan that leverages **The Open Network (TON)** for C2 communications. This variant has been observed actively targeting banking and cryptocurrency wallet users in France, Italy, and Austria between January and February 2026. **Evolving Capabilities** According to a report shared with The Hacker News by **ThreatFabric**, "TrickMo relies on a runtime-loaded APK (dex.module), used also by the previous variant, but updated with new features adding new network-oriented functionality, including reconnaissance, SSH tunnelling, and SOCKS5 proxying capabilities that allow infected devices to function as programmable network pivots and traffic-exit nodes." **TrickMo's History** **TrickMo** is a device takeover (DTO) malware active since late 2019. It was first flagged by **CERT-Bund** and **IBM X-Force**, who detailed its ability to abuse Android's accessibility services to hijack one-time passwords (OTPs). It possesses a broad range of features, including credential phishing, keystroke logging, screen recording, live screen streaming, and SMS interception, effectively granting complete remote device control to the operator. **TrickMo C: The Latest Iteration** The newest versions, dubbed **TrickMo C**, are distributed via phishing websites and dropper apps. These droppers deliver a dynamically loaded APK ("dex.module") retrieved at runtime from attacker-controlled infrastructure. A key architectural change is the use of the TON decentralized blockchain for covert C2 communications. "TrickMo carries an embedded native TON proxy that the host APK starts on a loopback port at process start," **ThreatFabric** stated. "The bot's HTTP client is wired through that proxy, so every outbound command-and-control request is addressed to an .adnl hostname and resolved through the TON overlay." Dropper apps containing the malware are disguised as adult-themed versions of TikTok through Facebook, while the actual malware impersonates Google Play Services. Examples include: * com.app16330.core20461 or com.app15318.core1173 (Dropper) * uncle.collop416.wifekin78 or nibong.lida531.butler836 (TrickMo)  **Network Reconnaissance and SOCKS5 Proxy Capabilities** While previous versions of "dex.module" implemented accessibility-driven remote control via a socket.io-based channel, the new version utilizes a network-operative subsystem. This transforms the malware into a managed foothold tool rather than a traditional banking trojan. The subsystem supports commands like curl, dnslookup, ping, telnet, and traceroute, providing the attacker with a "remote shell-equivalent for network reconnaissance from the victim's network position, including any internal corporate or home network the device is currently associated with," according to **ThreatFabric**. Another significant feature is a SOCKS5 proxy, which turns the compromised device into a network exit node for routing malicious traffic, bypassing IP-based fraud-detection signatures on banking, e-commerce, and cryptocurrency exchange services. **Future Expansion?** Furthermore, **TrickMo** contains two dormant features that bundle the Pine hooking framework and declare extensive NFC-related permissions, though neither is currently implemented. This suggests potential future expansions of the trojan's capabilities. **Stealth and Evasion** "Instead of relying on conventional DNS and public internet infrastructure, the malware communicates through .adnl endpoints routed via an embedded local TON proxy, reducing the effectiveness of traditional takedown and network-blocking efforts while making the traffic blend with legitimate TON activity," **ThreatFabric** explained. "This latest variant also expands the operational role of infected devices through SSH tunnelling and authenticated SOCKS5 proxying, effectively turning compromised phones into programmable network pivots and traffic-exit nodes whose connections originate from the victim’s own network environment."