TrickMo Android Banker Adopts TON Blockchain for Covert Command-and-Control

What happened

ThreatFabric has identified a new variant of the TrickMo Android banking malware, tracked as Trickmo.C, that introduces TON blockchain-based command-and-control communications designed to resist traditional takedown methods. The variant has been observed since January 2026 and is targeting banking and cryptocurrency wallet users in France, Italy, and Austria, disguised as TikTok or streaming applications.

TrickMo has been in active development since its first appearance in September 2019, with 40 variants documented across 16 droppers and 22 distinct C2 infrastructures as of October 2024. The defining feature of the current variant is its use of The Open Network, a decentralized peer-to-peer network originally developed around the Telegram ecosystem, for operator communications. The malware runs an embedded local TON proxy on the infected device and communicates with the operator through .ADNL addresses, which use 256-bit identifiers rather than conventional domains. This approach hides the IP address and communication port of the C2 infrastructure within TON’s encrypted overlay network, making the real server endpoints impossible to identify through public DNS and difficult to block at the network edge.

ThreatFabric notes that traditional domain takedowns are ineffective against this approach because the operator’s endpoints do not rely on the public DNS hierarchy. Network-level traffic inspection sees only encrypted TON traffic, which is indistinguishable from any other legitimate TON-enabled application’s outbound communications.

Who is affected

Android users in France, Italy, and Austria are the confirmed targets of the current campaign, primarily those using banking applications and cryptocurrency wallets. The malware’s disguise as popular streaming or social media applications broadens the potential victim pool beyond dedicated financial app users.

Why CISOs should care

The adoption of TON for C2 communications represents a meaningful evasion evolution in mobile banking malware. Domain-based blocking, DNS sinkholes, and IP reputation feeds are among the most common defenses against known C2 infrastructure. TON’s overlay network renders all of these controls ineffective against Trickmo.C, because the C2 endpoints exist entirely outside the public DNS hierarchy. With organizations increasingly managing BYOD and corporate Android devices used for mobile banking and enterprise authentication, mobile malware that evades standard network controls deserves the same level of attention as desktop threats.

3 practical actions

Implement mobile threat defense solutions capable of behavioral detection on Android devices: Network-layer controls are ineffective against TON-based C2. Mobile threat defense tools that perform on-device behavioral analysis, flagging suspicious accessibility service abuse, overlay attacks, and unusual outbound traffic patterns, provide the most reliable detection surface for TrickMo.C and similar variants.

Restrict sideloaded application installation on managed and BYOD Android devices: TrickMo.C is delivered as a fake TikTok or streaming app outside official app stores. MDM policies that enforce Play Store-only installation and block sideloaded APKs directly interrupt this delivery method on devices with corporate access.

Monitor for anomalous TON network traffic from mobile endpoints on corporate networks: While TON traffic is encrypted and indistinguishable from legitimate TON usage in terms of content, organizations that have no legitimate use for TON on corporate or managed mobile devices can treat any outbound TON traffic as anomalous and investigate accordingly.