TrickMo deepens Android banking threat

Android users across parts of Europe face a sharper mobile-fraud threat after a redesigned TrickMo variant began targeting banking, fintech, cryptocurrency wallet and authenticator applications with stronger stealth, persistence and network-control features.

The malware, tracked as TrickMo C, does not appear to be a wholly new family. It is an overhaul of a known Android banking trojan that has been under active development for years, with its operators now shifting emphasis from visible new victim-facing functions to deeper architectural changes that make the platform harder to disrupt and easier to operate at scale.

The latest activity has been linked to campaigns aimed at users in France, Italy and Austria, with malicious apps disguised as TikTok-related or streaming services. Once installed, the malware attempts to push victims into granting Accessibility Service permissions, a powerful Android feature designed to help users with disabilities but frequently abused by banking trojans to automate taps, read screen content and control infected devices.

TrickMo’s core objective remains device takeover. After gaining the required permissions, attackers can view and interact with the handset in real time, display full-screen fake login pages over legitimate financial apps, capture typed credentials, record screens, stream live activity and intercept SMS messages or notifications. That combination is particularly dangerous for banking and wallet users because it can help criminals bypass one-time passwords and transaction checks that rely on the same compromised phone.

The most significant shift is in command-and-control communication. Instead of depending mainly on ordinary internet domains and public DNS, the new variant routes its primary traffic through The Open Network, using. adnl endpoints and an embedded local TON proxy inside the infected device. This gives operators a more resilient communication channel because conventional domain takedowns and network blocks are less effective when the malicious infrastructure is hidden inside a decentralised overlay.

TON itself is a legitimate decentralised network with lawful uses, and its appearance in the malware’s design reflects abuse by criminal operators rather than any indication of responsibility by the network’s developers or users. The technical choice, however, shows how mobile malware groups are borrowing tools from decentralised infrastructure to reduce their exposure to defenders and law enforcement.

The redesigned TrickMo also adds network-reconnaissance and tunnelling functions that move it beyond a conventional banking trojan. Commands observed in the new build include HTTP probing, DNS lookup, ping, telnet and traceroute, allowing operators to map what an infected device can reach from its current network. If the handset is connected to a corporate Wi-Fi or a home router, the attacker can use it as a vantage point inside that environment.

More concerning is the addition of SSH tunnelling and authenticated SOCKS5 proxy support. These features can turn the victim’s phone into a traffic-exit node, meaning criminal activity may appear to originate from the victim’s own IP address and network. That weakens fraud-detection systems that rely on location, device reputation or network history to decide whether a transaction is legitimate.

The malware’s modular design also points to a more flexible operating model. The host application acts as a launcher and persistence layer, while offensive functions are delivered through a runtime-loaded module. This lets operators update capabilities without replacing the original app, and it gives them room to tailor payloads by region or campaign. Dormant elements, including an inactive hooking framework and declared NFC-related permissions, suggest the platform may be prepared for future features even if those functions are not currently active.

TrickMo’s evolution fits a wider pattern in Android financial malware. Criminal groups are relying less on one-off credential theft and more on live device control, social engineering and abuse of legitimate platform services. Banking apps, cryptocurrency wallets and authenticator tools have strengthened their security, but attackers are responding by compromising the environment around those apps rather than breaking the apps directly.

Users are most exposed when they install apps outside trusted stores, follow links from social-media adverts or grant Accessibility permissions to software that has no clear need for them. Fake entertainment, streaming, job and social-media apps remain common lures because they can appear harmless while delivering a malicious second stage after installation.