{"id":891,"date":"2026-05-12T13:43:51","date_gmt":"2026-05-12T13:43:51","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=891"},"modified":"2026-05-12T13:43:51","modified_gmt":"2026-05-12T13:43:51","slug":"new-trickmo-variant-uses-ton-c2-and-socks5-to-create-android-network-pivots","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=891","title":{"rendered":"New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>May 12, 2026<\/span><\/span>Malware \/ Mobile Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Cybersecurity researchers have flagged a new version of the TrickMo<\/strong> Android banking trojan that uses The Open Network (TON) for command-and-control (C2).<\/p>\n

The new variant, observed by ThreatFabric between January and February 2026, has been observed actively targeting banking and cryptocurrency wallet users in France, Italy, and Austria.<\/p>\n

\u00abTrickMo relies on a runtime-loaded APK\u00a0 (dex.module), used also by the previous variant, but updated with new features adding new network-oriented functionality, including reconnaissance, SSH tunnelling, and SOCKS5 proxying capabilities that allow infected devices to function as programmable network pivots and traffic-exit nodes,\u00bb the Dutch mobile security company said<\/a> in a report shared with The Hacker News.<\/p>\n

TrickMo is the name assigned to a device takeover (DTO) malware that’s been active in the wild since late 2019. It was first flagged by CERT-Bund and IBM X-Force, describing its ability to abuse Android’s accessibility services to hijack one-time passwords (OTPs).<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

It’s also equipped with a wide range of features to phish for credentials, log keystrokes, record screen, facilitate live screen streaming, intercept SMS messages, essentially granting the operator complete remote control of the device.<\/p>\n

The latest versions, labeled TrickMo C, are distributed via phasing websites and dropper apps, the latter of which serve as a conduit for a dynamically loaded APK (\u00abdex.module\u00bb) that’s retrieved at runtime from attacker-controlled infrastructure. A notable shift in the architecture entails the use of the TON decentralized blockchain for stealthy C2 communications.<\/p>\n

\u00abTrickMo carries an embedded native TON proxy that the host APK starts on a loopback port at process start,\u00bb ThreatFabric said. \u00abThe bot’s HTTP client is wired through that proxy, so every outbound command-and-control request is addressed to an .adnl hostname and resolved through the TON overlay.\u00bb<\/p>\n

Dropper apps containing the malware masquerade as adult versions of TikTok, whereas the actual malware impersonates Google Play Services –<\/p>\n