Evolving Android Banking Trojan TrickMo Adopts TON and SOCKS5 for Stealthy C2 Operations

Introduction

Cybersecurity researchers have uncovered a sophisticated new variant of the TrickMo Android banking trojan that leverages The Open Network (TON) for command-and-control (C2) communications and integrates SOCKS5 proxy capabilities to create network pivots. Discovered by ThreatFabric between January and February 2026, this updated version actively targets users of banking applications and cryptocurrency wallets in France, Italy, and Austria. The evolution of TrickMo highlights the increasing complexity of mobile malware and the creative ways attackers are using blockchain technology and proxy networks to evade detection.

Evolving Android Banking Trojan TrickMo Adopts TON and SOCKS5 for Stealthy C2 Operations — Source: feeds.feedburner.com

The New TrickMo Variant: Features and Targets

TrickMo has long been a prominent Android banking trojan, capable of overlaying legitimate apps to steal credentials, intercepting SMS messages, and bypassing two-factor authentication. However, this latest iteration introduces two critical advancements: the use of TON for C2 and the implementation of SOCKS5 proxies for lateral network movement.

According to ThreatFabric's analysis, the new variant was deployed in targeted campaigns against financial institutions and crypto exchanges in three European nations. The geographic focus suggests a deliberate strategy to exploit regional banking systems and user behaviors. Key targets include retail banking apps and popular cryptocurrency wallet services, making it a dual threat for both traditional finance and digital assets.

How TON C2 Enhances Evasion

The Open Network, originally developed by the Telegram team, is a decentralized blockchain platform designed for fast and scalable transactions. By embedding TON blockchain endpoints into its communication protocol, TrickMo can receive commands and exfiltrate data through distributed, peer-to-peer channels. This approach offers several advantages over traditional HTTP- or DNS-based C2:

Decentralization: No single server to take down, making takedown efforts ineffective.
Encryption by default: TON's cryptographic foundation secures the traffic from interception.
Low observability: Many network monitoring tools do not recognize TON traffic as malicious.

By moving C2 to the blockchain, the malware can operate under the radar of conventional security appliances that rely on static IP blacklists or domain reputation. This technique is part of a broader trend among threat actors to adopt blockchain-based C2 (often called “blockchain C2” or “BCC2”) for resilience.

SOCKS5 Pivot: Building a Network Bridge

The inclusion of a SOCKS5 proxy is equally significant. Once TrickMo infects a device, it can turn that device into a relay point, allowing the attacker to route other traffic through the victim's phone. This establishes a network pivot into the victim's local environment, potentially giving access to internal corporate networks if the device is used for work purposes.

Infection: The trojan gains initial access, often through malware-laden apps or phishing links.
Payload Execution: A runtime-loaded APK (dex.module) deploys the core malicious components.
Proxy Activation: The SOCKS5 proxy is activated, linking the device to the attacker's TON-based C2 server.
Pivot: The attacker can tunnel traffic through the infected device to scan or attack other systems on the same network.

This capability transforms a simple credential stealer into a vector for broader network compromise. For organizations with bring-your-own-device (BYOD) policies, the risk is especially high.

Technical Analysis of the Infection Chain

ThreatFabric's report details how the malware is delivered: it often masquerades as legitimate utility apps, such as document scanners or cryptocurrency portfolio trackers, distributed through third-party app stores or social engineering campaigns. Once installed, the app requests extensive permissions, including accessibility services, which are then abused to perform overlay attacks and keylogging.

The dex.module is loaded at runtime, a common technique to evade static analysis by antivirus engines. This module contains the core logic for TON communication and SOCKS5 proxy management. The malware communicates with the TON network using lightweight smart contracts to receive encrypted commands and send back stolen data, all while maintaining the appearance of normal blockchain activity.

Furthermore, the variant employs advanced anti-analysis and persistence mechanisms, such as:

Detecting if it is running in an emulator or sandbox environment.
Using steganography to hide payloads within benign-looking files.
Regularly checking in with the C2 to receive updated configurations and proxy list.

Implications for Android Users and Organizations

The discovery of this TrickMo variant underscores the rapidly evolving threat landscape for mobile devices. For individual users, the best defense remains caution: avoid sideloading apps, scrutinize permissions, and keep devices updated. For enterprises, this variant highlights the need for advanced endpoint detection that can monitor for unusual network protocols like TON traffic and proxy-like behavior.

Security teams should consider deploying mobile threat defense (MTD) solutions that can detect both the initial infection vector and the lateral movement capabilities. Additionally, network segmentation and strict access controls for mobile devices can limit the blast radius if a pivot occurs.

Conclusion

The integration of TON as a C2 channel and SOCKS5 proxy functionality represents a significant step forward for the TrickMo trojan. By leveraging blockchain decentralization and network pivoting, the malware is not only harder to disrupt but also more dangerous to its victims. As cybercriminals continue to innovate, defenders must stay vigilant, adapting their strategies to counter these emerging techniques.

Tags: