New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots

ThreatFabric researchers have identified a new TrickMo Android banking trojan variant leveraging The Open Network (TON) blockchain as a command-and-control infrastructure. Observed between January and February 2026, this strain actively targets banking and cryptocurrency wallet users across France, Italy, and Austria.

The variant represents a significant shift in TrickMo's operational tactics. Rather than traditional C2 channels, the trojan now exploits TON's decentralized architecture to receive commands, complicating detection and takedown efforts. The malware establishes SOCKS5 proxy connections, enabling network pivoting that allows attackers to route traffic through compromised devices and obscure their operational infrastructure.

TrickMo operates through runtime-loaded APK modules (dex.module), which the trojan downloads and executes dynamically. This approach allows operators to update functionality without requiring users to reinstall the infected application, evading detection mechanisms that analyze static APK contents. The modularity enables the trojan to inject itself into legitimate banking applications, intercept credentials, capture two-factor authentication codes, and execute fraudulent transactions.

The geographic focus on Western European financial systems reflects deliberate targeting of high-value banking environments. France, Italy, and Austria host major banking infrastructure and cryptocurrency exchanges, making them attractive targets for credential theft and account takeover operations. Cryptocurrency wallet users face particular risk, as the trojan can drain assets directly from mobile wallets.

The use of TON for C2 demonstrates evolving evasion tactics within the Android malware ecosystem. Blockchain-based command channels complicate law enforcement takedowns and create resilience against traditional domain-based blocking. The SOCKS5 proxy functionality extends the trojan's reach beyond initial compromises, allowing attackers to pivot into corporate networks through infected personal devices.

Organizations and individuals should treat this variant as a high-