Full Report
Cybersecurity researchers have flagged a new version of the TrickMo Android banking trojan that uses The Open Network (TON) for command-and-control (C2). The new variant, observed by ThreatFabric between January and February 2026, has been observed actively targeting banking and cryptocurrency wallet users in France, Italy, and Austria. "TrickMo relies on a runtime-loaded APK (dex.module),
Analysis Summary
# Tool/Technique: TrickMo (TON Variant)
## Overview
TrickMo is a sophisticated Android-based banking trojan designed to intercept financial credentials, two-factor authentication (2FA) codes, and cryptocurrency assets. This specific variant is notable for its adoption of **The Open Network (TON)** blockchain infrastructure for Command-and-Control (C2) communications, enhancing its resilience against traditional server takedowns.
## Technical Details
- **Type:** Malware Family (Banking Trojan)
- **Platform:** Android
- **Capabilities:** Overlay attacks, SMS interception, keylogging, screen recording, remote access, and C2 communication via decentralized networks (TON).
- **First Seen:** Early variants dates back to 2019/2020; this TON-specific variant was observed in Jan/Feb 2026.
## MITRE ATT&CK Mapping
- **TA0037 - Command and Control**
- T1102.003 - Web Service: One-Way Communication (TON Blockchain)
- T1573 - Encrypted Channel
- **TA0038 - Credential Access**
- T1417.001 - Input Injection (Overlay Attacks)
- T1636.002 - Keylogging
- **TA0041 - Collection**
- T1513 - Screen Capture
- T1639 - SMS/MMS Interception
- **TA0034 - Execution**
- T1407 - Dynamic Code Loading (Runtime-loaded APK)
## Functionality
### Core Capabilities
- **Overlay Attacks:** Projects fake login windows over legitimate banking and crypto-wallet applications to harvest user credentials.
- **SMS Interception:** Steals incoming SMS messages to bypass 2FA (One-Time Passwords).
- **Runtime Loading:** Utilizes a secondary payload (often named `dex.module`) loaded at runtime to execute its core malicious logic, helping to evade static analysis of the initial dropper.
### Advanced Features
- **TON-Based C2:** Uses the TON blockchain (often via Telegram-linked infrastructure) to receive commands, making it harder for law enforcement to block the C2 traffic.
- **Accessibility Services Exploitation:** Abuses Android Accessibility Services to automate clicks, bypass security prompts, and log keystrokes.
- **VNC/Remote Control:** Allows attackers to remotely navigate the device and perform transactions in real-time.
## Indicators of Compromise
- **File Names:** `dex.module`, `payload.apk`
- **Network Indicators:**
- `toncenter[.]com` (API interaction for C2)
- `ton[.]access` access points
- Sub-domain patterns mimicking legitimate financial services.
- **Behavioral Indicators:**
- Requesting Accessibility Services permissions immediately after installation.
- Unusual background service activity associated with Telegram/TON network protocols.
- Disabling Google Play Protect via automated accessibility scripts.
## Associated Threat Actors
- Unknown (Attributed to financially motivated cybercriminals focusing on European targets).
## Detection Methods
- **Signature-based detection:** Scanning for specific hashes of the runtime-loaded `dex.module`.
- **Behavioral detection:** Monitoring for apps that request Accessibility Services and frequently overlay on top of financial applications.
- **Network-based detection:** Identifying unusual traffic patterns to TON-related URLs or API endpoints from non-wallet applications.
## Mitigation Strategies
- **Prevention measures:** Disable "Install from Unknown Sources" and refrain from side-loading APKs from third-party sites or SMS links.
- **Hardening recommendations:** Use hardware-based security keys (U2F) where possible, as they are resistant to the SMS interception and overlay attacks used by TrickMo.
- **User Education:** Train users to identify suspicious requests for Accessibility Service permissions.
## Related Tools/Techniques
- **TeaBot (Anatsa):** Shares similar overlay and accessibility abuse techniques.
- **Ermac:** Another banking trojan targeting the same geographies and asset types.
- **GodFather:** Known for extensive overlay libraries for European banking apps.