Android Banking Trojan TrickMo Evolves: New Variant Uses TON Blockchain and SOCKS5 to Build Stealth Pivot Networks

Urgent: TrickMo Android Malware Hits European Banks with Blockchain-Enabled Command and Control

Cybersecurity researchers at ThreatFabric have uncovered a sophisticated new variant of the TrickMo Android banking trojan that leverages The Open Network (TON) blockchain for command-and-control (C2) communications and employs SOCKS5 proxies to create resilient network pivots. The malicious campaign, active between January and February 2026, is currently targeting banking and cryptocurrency wallet users in France, Italy, and Austria.

“This evolution represents a significant shift in how mobile malware operators hide their infrastructure,” said a ThreatFabric researcher who requested anonymity due to ongoing investigations. “By routing C2 traffic through TON and using SOCKS5 exit nodes, the attackers can pivot through multiple devices, making takedown extremely difficult.”

Technical Breakdown: TON Blockchain and SOCKS5 Integration

The new TrickMo variant relies on a runtime-loaded APK component—a dex.module—that establishes communication with TON-based C2 servers. Unlike traditional HTTP or DNS-based C2, TON’s decentralized structure means there is no single point of failure. The malware also integrates SOCKS5 proxy support, allowing infected devices to act as relays for other compromised handsets.

“We observed the dropper contacting a list of TON smart contract addresses to retrieve encrypted configuration files,” the researcher explained. “These files contain SOCKS5 server list, and a decryption key. The trojan then opens a SOCKS5 listener on the device, enabling lateral movement within the network.”

Background

TrickMo first emerged in 2019 as a banking trojan targeting Android users, primarily in Europe. Over the years, it has evolved through multiple variants, each improving stealth and evasion techniques. Previous versions used traditional HTTP-based C2 and overlay attacks to steal credentials. The shift to TON and SOCKS5 marks a major architectural change, aligning with a broader trend of malware adopting blockchain and peer-to-peer protocols.

ThreatFabric’s analysis of campaign samples from early 2026 reveals that the attackers specifically targeted mobile banking apps from major French, Italian, and Austrian institutions, as well as popular cryptocurrency wallets. The dex.module is loaded after the initial dropper obtains accessibility service permissions, a common technique to automate clicks and grant further permissions without user interaction.

What This Means

For banking and cryptocurrency sectors, this new TrickMo variant introduces several novel risks. The use of TON as a C2 channel means that even if one node is taken down, the malware can instantly switch to another blockchain address. The SOCKS5 pivot feature turns each infected device into a potential proxy, allowing attackers to hide the true source of malicious traffic and evade IP-based blocking.

“Organizations need to update their detection signatures to account for TON-related network traffic and SOCKS5 connections from mobile devices,” advised the ThreatFabric team. “User education remains critical, as the initial infection vector still relies on social engineering—often posing as updates for banking apps.”

The attackers have also improved their obfuscation: the dex.module is encrypted and only decrypted in memory, bypassing static analysis. ThreatFabric recommends that security teams monitor for unusual outbound connections to TON nodes (typically over UDP/TCP on port 8080) and inspect devices for unauthorized SOCKS5 listeners on high-range ports.

Indicators of Compromise (IOCs) and Mitigation

• Network: Unexpected DNS queries for TON-related domains (.ton.sh or .ton name resolution).
• Device: Presence of unknown accessibility services or battery optimization exceptions granted to unfamiliar apps.
• Behavior: Sudden increase in data usage when device is idle, especially on cellular networks.

ThreatFabric has released a detailed technical report containing full IOCs and YARA rules (see link to report). Administrators should restrict outbound traffic to known TON endpoints unless explicitly required.

As of now, the campaign appears focused, but given the modular nature of TrickMo, wider geographic targeting is expected. “This is not just another banking trojan update—it’s a blueprint for future mobile malware that leverages decentralized infrastructure,” the researcher concluded.

This is a developing story. Check back for updates.