"TrickMo relies on a runtime-loaded APK (dex.module), used also by the previous variant, but updated with new features adding new network-oriented functionality, including reconnaissance, SSH tunnelling, and SOCKS5 proxying capabilities that allow infected devices to function as programmable network pivots and traffic-exit nodes," ThreatFabric said.
ThreatFabric’s January–February 2026 findings
Dutch mobile security firm ThreatFabric observed a new variant of the Android banking trojan TrickMo between January and February 2026. The company reported the malware as actively targeting banking and cryptocurrency wallet users in France, Italy, and Austria. The new builds are being tracked as TrickMo C and were shared with The Hacker News in a report summarizing their technical changes and operational scope.
TON-based command-and-control
A significant architectural change in TrickMo C is the shift to The Open Network (TON) for command-and-control. ThreatFabric found that the malware "carries an embedded native TON proxy that the host APK starts on a loopback port at process start," and that the bot's HTTP client is routed through that proxy so that outbound C2 requests are addressed to .adnl hostnames and resolved through the TON overlay. ThreatFabric warned this approach "reducing the effectiveness of traditional takedown and network-blocking efforts while making the traffic blend with legitimate TON activity."
From device takeover to programmable network pivot
While TrickMo has long been identified as a device takeover (DTO) malware — first flagged in 2019 for abusing Android accessibility services to hijack one-time passwords (OTPs) — the latest builds broaden its operational role. The runtime-loaded dex.module now implements a network-oriented subsystem that supports commands such as curl, dnslookup, ping, telnet, and traceroute, which ThreatFabric describes as providing a "remote shell-equivalent for network reconnaissance from the victim's network position, including any internal corporate or home network the device is currently associated with."
That subsystem also enables SSH tunnelling and authenticated SOCKS5 proxying. By turning compromised phones into network exit nodes, the malware can route attacker traffic through the victim’s own network environment, a capability ThreatFabric says effectively turns infected devices into "programmable network pivots and traffic-exit nodes."
SOCKS5 proxying, fraud-detection avoidance, and operational impact
ThreatFabric highlights that the inclusion of a SOCKS5 proxy and SSH tunnelling expands TrickMo beyond credential theft and OTP interception. The proxying capability is explicitly noted to defeat IP-based fraud-detection signatures on banking, e-commerce and cryptocurrency exchange services by making malicious connections originate from the victim’s network, rather than from attacker-controlled infrastructure.
Distribution and impersonation tactics
The new TrickMo C samples are distributed via phasing websites and dropper apps. ThreatFabric says the droppers masquerade as adult versions of TikTok, while the actual malware impersonates Google Play Services under package names that include com.app16330.core20461 and com.app15318.core1173 for droppers, and uncle.collop416.wifekin78 or nibong.lida531.butler836 for the TrickMo payload. The dropper model lets a host APK retrieve the dex.module at runtime from attacker-controlled infrastructure.
Dormant capabilities and likely development trajectory
ThreatFabric found two features present but not activated in the current dex.module: an inclusion of the Pine hooking framework and declarations of extensive NFC-related permissions. Neither feature is implemented in the observed samples; ThreatFabric assesses that "this likely indicates the core developers are looking to expand on the trojan's capabilities in the future," suggesting the malware authors are positioning the codebase for additional lateral or sensor-based functions.
What this means for technologists, financial services, and end users
- Technologists and security teams: Monitor for local loopback proxies and unusual .adnl/TON resolution patterns, and note that infected devices may be used for internal network reconnaissance and as authenticated SOCKS5 exits.
- Financial institutions and exchanges: Be aware that IP-based fraud-detection signals may be circumvented by attacker traffic routed through victims' home or corporate networks via SOCKS5 proxies and SSH tunnels.
- End users and device owners: ThreatFabric’s report shows TrickMo droppers are disguised as adult-themed TikTok apps and that the malware impersonates Google Play Services; package names tied to the campaign are com.app16330.core20461, com.app15318.core1173 (droppers) and uncle.collop416.wifekin78, nibong.lida531.butler836 (TrickMo).
The observed shift in TrickMo’s architecture — from accessibility-driven device takeover to a managed foothold with TON-based stealth and network pivoting — raises a clear technical question: with C2 hidden inside a blockchain overlay and infected phones able to proxy attacker traffic from victims’ networks, how will defenders adapt detection and takedown methods that rely on conventional DNS and public infrastructure? ThreatFabric’s findings document the change; the responses from defenders and service providers will determine whether that change confers a lasting operational advantage to the malware operators.
