Modern Android banking malware increasingly evolves through architectural redesigns intended to improve stealth, resilience, and operational flexibility rather than through entirely new user-facing capabilities. As platform protections and detection measures continue to improve, operators adapt by redesigning communication layers, modularising offensive functionality, and strengthening persistence and remote-control mechanisms.

Between January and February 2026 our Mobile Threat Intelligence Team identified and began tracking a new variant of the TrickMo Android banking-trojan family in active distribution.

The variant is a direct evolution of the previously documented TrickMo: the on-device feature set is largely unchanged, but the platform underneath has been deliberately re-engineered for stealth, resilience and operator reach. The most visible change is at the network layer, where the bot's command-and-control traffic has been moved off the conventional internet entirely and onto The Open Network (TON). Several other components — the loader stage, the configuration store, the application identity, and the scope of operator commands — have been overhauled in parallel. Variant C is, in our assessment, not a capability rewrite but a substantial platform redesign.

Key takeaways of this report are:

• We identified a new TrickMo variant, active in campaigns targeting banking and wallet users in France, Italy, and Austria.
• Telemetry and infrastructure observations indicate that this new variant is progressively replacing its predecessor across active operator campaigns.
• The malware’s primary command-and-control channel has been migrated onto The Open Network (TON) using .adnl endpoints routed through an embedded local TON proxy.
• Trickmo relies on a runtime-loaded APK  (dex.module), used also by the previous variant, but updated with new features adding new network-oriented functionality, including reconnaissance, SSH tunnelling, and SOCKS5 proxying capabilities that allow infected devices to function as programmable network pivots and traffic-exit nodes.
  
  

An Ongoing Threat

TrickMo is Device Take Over (DTO) malware targeting banking, fintech, wallet and authenticator applications on Android. Once the user grants the bot accessibility-service permission, which the bot's on-device automation actively coerces, the operator obtains a real-time interactive view of the device.

The capability set covers:

• Credential phishing through fullscreen WebView overlays imitating the legitimate banking app

• Keylogging that captures typed text and field metadata correlated with the foreground package

• Screen recording and live screen streaming

• Full bidirectional remote control of the device via a  channel that replays operator-issued gestures and inputs through the accessibility service

• Real-time SMS and notification interception (including silent suppression of one-time-password push messages)

• on-device network pivoting that turns the infected handset into a programmable network exit node.

Across the period covered by this report we have observed multiple parallel campaigns operating against banking and wallet customers in France, Italy, and Austria, based on the campaign tags carried in each bot's telemetry. 

A TON of new features

A C2 Communication overhaul

The single largest architectural change in TrickMo is that the bot no longer reaches its operator over the conventional internet. The primary command-and-control transport has been moved onto The Open Network (TON) — a decentralised peer-to-peer overlay network originally built for Telegram, with its own routing and naming layer (ADNL). Hosts inside TON are not addressed by DNS or by IPs in the public routing table; they are addressed by opaque base32 strings under a .adnl pseudo-TLD which the TON network resolves through its own decentralised infrastructure.

NOTE: The Open Network (TON) is a legitimate decentralised networking and blockchain platform with a wide range of lawful uses. The use of TON infrastructure by TrickMo C reflects decisions made by the malware operators and does not imply malicious intent, involvement, endorsement, or responsibility on the part of the TON project, its developers, or associated organisations. This report discusses TON solely in the context of how it is being abused as a transport mechanism by a third-party threat actor.

TrickMo carries an embedded native TON proxy that the host APK starts on a loopback port at process start. The bot's HTTP client is wired through that proxy, so every outbound command-and-control request is addressed to an .adnl hostname and resolved through the TON overlay.

For the small set of clearnet hostnames the bot still needs the bot replaces its HTTP client's DNS resolver with a public DNS-over-HTTPS endpoint, so even those lookups never reach the device's local resolver.

The properties this design buys the operator are clear and mutually reinforcing. Traditional domain takedowns are largely ineffective because the operator’s endpoints do not rely on the public DNS hierarchy and instead exist as TON .adnl identities resolved inside the overlay network itself.

Traffic-pattern detection at the network edge sees only TON traffic, which is encrypted and indistinguishable from any other TON-enabled application's outbound flow. 

A modular Architecture - improved over time

Although TrickMo has been documented multiple times in the past, previous public reporting did not meaningfully describe the family’s modular architecture beyond occasional references to a loadModule command. During our analysis, we identified an externally downloaded DEX module used by the malware, with samples dating back to at least December 2024. The module was only delivered to devices connecting from specific geographic regions, suggesting deliberate server-side filtering of infections.

The host APK acts primarily as a launcher and persistence layer, while the offensive functionality is delivered separately through the dynamically loaded APK with package name "dex.module" fetched from operator infrastructure at runtime and injected into the running process.

This module contained the malware’s core accessibility-driven remote control functionality through a socket.io-based channel, that is used to maintain low-latency sessions.

In addition, the previous version implemented hooking using the Pine framework (which has also been seen in other malware families like Godfather) to intercept networking calls and interactions with Google's Firebase Cloud Messaging.

The differences in the new variant

Network reconnaissance and tunnelling — entirely new.

The largest functional addition in this variant, and the change that justifies framing the family as a managed foothold rather than a banking trojan, is a network-operative subsystem. Five operator commands run network primitives from the device's vantage point and return the results upstream:

Together these give the operator a remote shell-equivalent for network reconnaissance from the victim's network position, including any internal corporate or home network the device is currently associated with. dnsLookup deliberately uses the platform resolver rather than the bot's DoH path, so the operator learns what the device's network sees for a given name.

The same subsystem exposes three commands for socket-level tunnelling built on top of an embedded SSH client. An SSH local-forward tunnel opens a device-side port forwarded out to a host the operator's SSH server can reach. An SSH remote-forward tunnel runs the inverse — the operator's SSH server listens on a port that, when connected to, terminates inside the network the device is on; this gives the operator reach into the corporate or home LAN the device is attached to.

An on-device SOCKS5 proxy with user-and-password authentication turns the infected handset into a per-request-routed network exit node. The operationally strong combination is to run the SOCKS5 proxy on a local port and then expose that port through the remote-forward tunnel: the result is an authenticated, SSH-encrypted, per-request-routed programmable network exit running on the victim's device, with outbound traffic that appears to originate from the victim's IP — defeating IP-based fraud-detection heuristics on banking, e-commerce and crypto-exchange services.

Method hooking — declared but unused

The Pine hooking framework is still bundled in the host APK and is still initialised at process start, but the static code base of both stages contains no actual hook installations. The previous variant's runtime patches against the host's HTTP and Firebase paths are gone, and no equivalent has replaced them. Pine is loaded and idle, ready to be used by code the operator can deliver later through the same runtime-loaded DEX channel that delivers the rest of the module. This is consistent with a broader pattern in variant C of provisioning capabilities in the host that are reserved for hot-pushed code rather than baked in.

NFC permissions declared but unused

The manifest declares the full NFC permission set — basic NFC, preferred-payment-information, and transaction-event — and the bot reports NFC and host-card-emulation feature flags as part of its telemetry. We have not, however, found any reachable NFC code in either stage. NFC is declared and reported but not exercised, which fits the same reserved-capability pattern as the dormant Pine framework. Pre-filtering the device inventory by NFC capability lets the operator decide where a future NFC-targeted payload can succeed without committing to it on the device side.

Conclusion

TrickMo C is not a new malware family, but a deliberate platform overhaul focused on stealth, resilience, and operator reach. The platform has been redesigned to be harder to analyse, harder to disrupt, and more operationally flexible than previous variants.

The most significant change is the migration of command-and-control traffic onto The Open Network (TON). Instead of relying on conventional DNS and public internet infrastructure, the malware communicates through .adnl endpoints routed via an embedded local TON proxy, reducing the effectiveness of traditional takedown and network-blocking efforts while making the traffic blend with legitimate TON activity.

This latest variant also expands the operational role of infected devices through SSH tunnelling and authenticated SOCKS5 proxying, effectively turning compromised phones into programmable network pivots and traffic-exit nodes whose connections originate from the victim’s own network environment.

At the same time, the malware provisions capabilities that are not yet actively used. The Pine hooking framework remains bundled and initialised despite no active hook installations being present, and the application declares extensive NFC-related permissions without implementing reachable NFC functionality. Together, these dormant components suggest the operators are preparing the platform for future runtime-delivered features without committing those capabilities directly into the current codebase.

Overall, Trickmo can be seen as a “reborn” threat: not entirely new, but refined and adapted to remain effective in a more secure and scrutinized mobile environment.

Appendix

Indicators of Compromise

Bot commands

Commands in green are part only of the English fork, while commands in red are part only of the Turkish fork.