ThreatFabric discovery of Trickmo.C
Security researcher ThreatFabric reported a new variant of the TrickMo Android banker, which the team tracks as "Trickmo.C" and has been observing since January. The company says this version is being delivered in campaigns that target users in France, Italy, and Austria and that the malware is disguised as TikTok or streaming applications.
TrickMo is not new: it was first spotted in September 2019 and has been under continuous development since then. In October 2024, Zimperium analyzed 40 TrickMo variants delivered through 16 droppers, communicating with 22 distinct command-and-control infrastructures and targeting sensitive user data worldwide — a pattern of diversity that ThreatFabric’s findings show is continuing into 2026.
How TON .ADNL addresses change covert communications
The headline technical change in Trickmo.C is the use of The Open Network (TON) for covert command-and-control. ThreatFabric says the malware embeds a local TON proxy on infected devices and uses .ADNL addresses routed through that proxy to reach operator endpoints.
TON, the researchers note, is "a decentralized peer-to-peer network originally developed around the Telegram ecosystem" that provides an encrypted overlay for device-to-web communications. Instead of typical domain names, TON uses a 256-bit identifier; according to ThreatFabric, this design "hides the IP address and communication port, thus making the real server infrastructure more difficult to identify, block, or take down."
ThreatFabric adds that "Traffic-pattern detection at the network edge sees only TON traffic, which is encrypted and indistinguishable from any other TON-enabled application's outbound flow." That combination — encrypted overlay plus non-DNS identifiers — is the analysts’ central explanation for why conventional domain takedown and network-blocking approaches will be less effective against this variant.
TrickMo's capabilities and the new command set
TrickMo remains modular and two-stage in design: a host APK functions as loader and persistence layer, while a runtime-downloaded APK module provides the offensive features. The malware targets banking credentials with phishing overlays and carries a broad suite of data-exfiltration and fraud-enabling tools.
ThreatFabric lists the core capabilities already associated with TrickMo: keylogging, screen recording and live screen streaming, SMS interception, suppression of one-time password notifications, clipboard modification, notification filtering, and screenshot capture. The new Trickmo.C variant adds an expanded remote-control and networking toolset that includes:
- curl
- dnsLookup
- ping
- telnet
- traceroute
- SSH tunneling
- remote port forwarding
- local port forwarding
- authenticated SOCKS5 proxy support
ThreatFabric also observed the Pine runtime hooking framework within the variant’s codebase — a framework they note has been used previously to intercept networking and Firebase operations — but they report it is currently inactive because no hooks are installed. TrickMo likewise declares extensive NFC permissions and reports NFC capability in telemetry, but ThreatFabric did not find any active NFC functionality in this variant.
Delivery, targets, and historical context
The current campaigns use fake TikTok or streaming-app installers to reach users in France, Italy, and Austria. That delivery method aligns with TrickMo’s long history of socially engineered mobile drops: the malware family has been evolving since 2019 and, according to Zimperium’s October 2024 analysis, manifests across dozens of variants, droppers, and C2 infrastructures.
The use of a local TON proxy and .ADNL identifiers marks a tactical shift in how operators hide infrastructure and complicate network-level investigation and mitigation. Because TON traffic is encrypted and appears similar to other TON-enabled applications’ outbound flows, it makes traditional network signature or domain-blocking strategies less straightforward for defenders.
What this means for Android users, banks, and security teams
Android users: ThreatFabric’s advisory echoes practical end-user guidance in the report. Users are advised to download apps only from Google Play, limit the number of installed apps on their phones, prefer apps from reputable publishers, and ensure Play Protect is active at all times.
Banks and cryptocurrency wallet providers: The malware specifically targets banking credentials and cryptocurrency wallets. Financial providers should anticipate fraud attempts that exploit intercepted OTPs, screen streaming, and phishing overlays, and should review controls around transaction authentication and suspicious-device detection.
Security teams and network operators: The move to TON .ADNL-based C2 means teams will need to account for encrypted overlay traffic that legitimate applications can also generate. ThreatFabric’s observation that "Traditional domain takedowns are largely ineffective" implies defenders must combine endpoint telemetry and behavior-based detection with network monitoring tuned for anomalous TON usage.
Trickmo.C demonstrates that mobile banking fraud operators continue to iterate both on exploitation techniques and on infrastructure anonymity. The coupling of modular Android malware with an overlay network that obscures endpoints raises a narrow, practical question: if operator endpoints can live entirely within encrypted overlays, how will defenders adapt takedown, detection, and incident response playbooks to regain visibility?
