A new variant of the TrickMo Android banking malware, dubbed TrickMo.C, has been discovered by ThreatFabric. Delivered via droppers disguised as TikTok or streaming apps, it targets banking and cryptocurrency wallet users in France, Italy, and Austria. The key new feature is its use of The Open Network (TON) for command-and-control (C2) communications, employing .ADNL addresses and a local TON proxy on the infected device. This makes traditional domain takedowns ineffective, as operators' endpoints do not rely on public DNS. The malware is modular with a two-stage design: a loader APK and a runtime-downloaded offensive module. Capabilities include phishing overlays, keylogging, screen recording, SMS interception, and clipboard modification. The latest variant adds commands like curl, ping, SSH tunneling, and SOCKS5 proxy support. Although extensive NFC permissions are declared, no active NFC functionality was observed. Android users are advised to download apps only from Google Play and keep Play Protect enabled.

Key facts

• TrickMo.C uses TON with .ADNL addresses for stealthy C2 communication.
• Disguised as TikTok or streaming apps, targets banking and crypto wallets in France, Italy, Austria.
• Modular two-stage design: loader APK and runtime-downloaded offensive module.
• New commands include SSH tunneling, SOCKS5 proxy, ping, curl, and DNS lookup.
• Declares NFC permissions but no active NFC functionality found.
• Traditional domain takedowns ineffective due to TON overlay network.

KeyAudit data perspective