TrickMo 2.0: Mobile infected as command nodes in TON to expand bank fraud

The family of bank Trojans TrickMo has taken an architectural leap that deserves attention: in the samples analyzed between January and February 2026, the operators have integrated the decentralized network of The Open Network (TON) as a command and control channel, and have transformed the engaged phones into programmable network pivots. This change is not only a technical curiosity, but a strategic evolution with direct implications for users, banks and advocates of critical infrastructure.

Since its appearance in 2019, TrickMo has been known to abuse Android accessibility services to intercept single-use codes, steal credentials and exercise remote control of the device. The new version documented by ThirFabric maintains these capabilities, but incorporates a dynamic module loaded in running time (dex.module) that expands functions to authenticated network recognition tasks, SSH tunnels and SOCKS5 proxy. In practice, an infected phone can now route malicious traffic from the victim's local network, do internal surveys and camouflage fraudulent transactions with the affected user's IP address.

The technique chosen to communicate with the command infrastructure - using endpoints .adnl resolves through the overlap of TON - adds layers of resilience to traditional blocking and takedown measures. By starting a native TON proxy on localhost, malware encapsulates your HTTP requests through the decentralized network, reducing the visibility of the engagement indicators on the public network and complicating the identification of malicious remote servers through conventional lock lists.

Beyond the C2 mechanism, the inclusion of commands such as curl, dnslookup, ping, telnet or traceroute makes the infected device a recognition station from the victim's network perspective. This alters the classic image of the "banking trojan" focused only on intercepting OTPs: we are facing an actor who seeks to maintain a Managed support point in target networks for lateral movement, transactional fraud and access anonymity by proxy.

The practical impact for users and organizations is clear. For individuals, the threat involves not only the theft of credentials but the possibility that their domestic connection will be used as an exit for criminal activities. For companies, an employee with a committed mobile in the corporate Wi-Fi network can facilitate side movements or access to internal services from a legitimate IP of the organization, drawing controls based only on home addresses.

Detecting and mitigating this threat requires adapting controls to its hybrid nature between mobile malware and network tool. On devices, it is key to avoid installing apps outside official stores and to distrust applications that request accessibility permits, foreground services or lifting to "Google Play Services." The practice of sideloading and the use of droppers that pass through "adult" versions of known applications is the vector used in these cases; basic digital hygiene remains the first barrier.

For security operators and administrators, strategies should combine visibility in the mobile endpoint with network layer monitoring and access controls. Review application inventories, implement MDM / EMM policies that restrict third-party facilities, and enable APIs to detect abnormal behavior on devices are effective measures. In the network, it is important to look for indicators such as local processes that open loopback ports, the presence of SOCKS5 services or unusual connection patterns that do not fit legitimate applications.

The decentralized nature of TON complicates the block by domain lists, so the defenses cannot depend exclusively on DNS / IP filtering. It is more effective to combine conditional access controls, network segmentation and phishing-resistant authentication (e.g. FIDO keys for sensitive access) to reduce the impact of connections from compromised devices. Organizations should also review BYOD policies and consider the separation of networks for unmanaged devices.

Another aspect to consider is the potential evolution of malware: researchers have pointed to the presence of inactive features related to hooking and NFC permissions, suggesting that developers could expand functions to intercept contact-less payments or hack critical APIs in future variants. This reinforces the need to maintain up-to-date incident response programmes and threat hunting exercises that include mobile as a risk area.

In terms of legal and Community response, the use of decentralized infrastructure poses challenges for traditional interruption operations. Collaboration between device manufacturers, network providers and research entities is essential to develop shared detection signals and mechanisms to identify abnormal patterns without interfering with legitimate services of the decentralized network. Reference and analysis resources on TON and avoidance techniques are available on the official web pages and in reports from threat analysis companies.

If you suspect your device has been compromised, disconnect it from corporate Wi-Fi networks, check the application permissions, re-establish the phone after backup of necessary data and, in the business context, notify the security team for forensic analysis. To prevent future incidents, prioritize user training on social engineering, automatic mobile updates and the implementation of technical policies that limit the scope of installable apps.

The convergence between mobile malware and decentralized networks marks a new stage in the digital threat: more camouflage, more resilience and third-party resource abuse capabilities. Knowing these tactics and adapting the defenses - from the individual user to the business infrastructure - is the best response available today.