TrickMo.C the banking Trojan that uses TON as C2 and turns Android devices into jump points for internal networks

A new turn in the evolution of the TrickMo banking trojan shows how attackers are constantly looking for hiding spaces in public infrastructure: the variant identified as TrickMo.C, detected by ThreatFabric and observed since January, incorporates communications on The Open Network (TON) and adds a set of commands that make it a much more versatile and difficult to neutralize remote control tool.

TrickMo is not a new actor: it exists since 2019 and continues to develop as a modular piece with two phases - a host APK for persistence and discharge in time of execution of the malicious module - that steals bank credentials and cryptomoneda portfolios by means of phishing overlay, keylogging, recording and display transmission, SMS interception and clipboard alteration. The recent variant, reported by ThreatFabric, has been distributed in campaigns that supplanted popular apps (for example, forged versions of TikTok and streaming players) and has been observed in victims in countries such as France, Italy and Austria. More technical details on the analysis are available in the ThreatFabric report: https: / / www.amenatfabr.com / blogs / trickmo-unmasked-the-hidden-dex-module-and-the-variant-that-placed-it.

The most worrying innovation is the use of TON as a command and control channel. TON offers an encrypted overlay and .adnl addresses with 256 bit identifiers instead of traditional domain names, which hides IP addresses and real ports and avoids usual countermeasures such as takedowns by DNS. In practice, TrickMo incorporates a local TON proxy that links all the C2 traffic through that network, making the perimeter see only indistinguishable TON traffic generated by legitimate applications using the same network. To understand the TON project and its architecture, public documentation can be consulted at https: / / ton.org.

In addition to this channel, the latest version expands its repertoire of orders to include diagnostic and tunelization utilities - for example curl, dnsLookup, ping, telnet and traceroute - and advanced network functions such as SSH tuned, port reshipment (local and remote) and authenticated SOCKS5 proxy support. In other words, in addition to stealing credentials, a committed device can be transformed into a jump point to explore internal networks, pivote to other targets or mount tunnels that facilitate exfiltration and persistent access.

From the perspective of the defender, this poses two clear challenges: on the one hand, the operational difficulty in identifying and dismantling the traditional C2 infrastructure; on the other, the need to visualize encrypted activities that resemble legitimate traffic. Mitigation strategies for corporate equipment should include behavior-based detection (e.g. processes that open local proxies or create unusual sockets in localhost), endpoint telemetry that identifies Android processes with sensitive permissions and egress controls that can identify persistent flows to overlay networks. At the technical level it is appropriate to monitor the emergence of local proxy processes on Android devices and to audit permissions such as accessibility access, notifications and SMS that TrickMo usually requests.

For mobile users, viable protection remains preventive: download apps only from Google Play, prefer reputable editor applications, keep Play Protect on and limit the number of apps installed. Google documents Play Protect and good practices at its help center: https: / / support.google.com / googleplay / ansher / 2812853. It is also recommended not to enable installation from unknown origins, to review suspicious permissions (especially accessibility, SMS and ability to draw on other apps) and to use strong authentication factors for financial services; ideal is to combine passwords with independent authenticators or physical keys whenever possible.

If a device shows symptoms (unusually high battery consumption, applications that ask for extra permits when installed, unreceived banking messages or unauthorized transactions), it is appropriate to isolate the equipment, change passwords from a clean device and immediately notify the bank. For companies, an appropriate response includes blocking affected accounts, forcing MFA, conducting forensic analysis of the terminal and reviewing egress and proxies records that can show tunnels or port reshipments.

Finally, the incorporation of frameworks such as Pine (though inactive for now in this variant) and unused NFC capacity declarations show that operators keep code "ready to" activate future functions. This underlines that mobile threats evolve in both offensive capacities and infrastructure avoidance techniques. The defence needs to adapt mobile telemetry, user awareness and application control policies to reduce the attack surface and detect abnormal behaviour before they become financial fraud.