New TrickMo Trojan Uses TON Network for Android Attacks

Emily Davis · 2026-05-12

Cybersecurity researchers have flagged a dangerous new version of the TrickMo Android banking trojan. This variant uses The Open Network (TON) for its command-and-control (C2) operations. It's a smart move by attackers, and it makes the malware harder to shut down. Think of TON as a decentralized backbone. Instead of relying on a single server that can be taken offline, the trojan uses this blockchain-based network to receive instructions. That means traditional takedown methods just don't work as well. ### What Makes This TrickMo Variant Different? ThreatFabric spotted this new variant between January and February 2026. It's actively targeting banking and cryptocurrency wallet users in France, Italy, and Austria. But here's the thing: this isn't just a European problem. The techniques used here could easily be adapted for attacks in the United States. - **TON-based C2:** The trojan uses The Open Network for command-and-control, making it resilient against takedowns. - **SOCKS5 proxy support:** It can route traffic through SOCKS5 proxies, which helps attackers hide their location and avoid detection. - **Runtime-loaded payload:** TrickMo relies on a runtime-loaded APK (dex.module) to execute its malicious code, making it harder for antivirus software to catch. These features together create what researchers call "network pivots." Basically, the infected phone becomes a stepping stone for attackers to reach other devices on the same network. This is a big deal for businesses and home users alike.  ### How Does the Infection Work? The trojan typically arrives through phishing messages or fake app downloads. Once installed, it requests extensive permissions. If granted, it can steal login credentials, intercept two-factor authentication codes, and even record your screen. "TrickMo relies on a runtime-loaded APK (dex.module)," the researchers note. This means the actual malicious code isn't in the initial app. It's downloaded later, after the user has already granted permissions. That makes it much harder for security tools to detect upfront.  ### Why Should You Care About This? Even though current attacks are focused on Europe, the techniques are universal. If you use an Android phone for banking or cryptocurrency transactions, you're a potential target. The use of TON and SOCKS5 makes this variant particularly stealthy. Here's what you can do to protect yourself: - **Only install apps from the Google Play Store.** Sideloading apps from unknown sources is the most common way these trojans spread. - **Check app permissions carefully.** If a calculator app asks for access to your SMS messages, that's a huge red flag. - **Keep your phone updated.** Security patches often fix vulnerabilities that malware exploits. - **Use a reliable security app.** Good antivirus software can catch runtime-loaded payloads before they activate. ### The Bigger Picture for Antidetect Browser Users If you're using antidetect browsers for privacy or business, this news matters to you too. These trojans don't just steal passwords. They can also hijack browser sessions and steal cookies. That means even if you're behind a proxy or using a fingerprint-masked browser, your session could be compromised if your device is infected. Antidetect browsers offer great protection against online tracking, but they can't protect you from malware on your device. That's why device-level security is still crucial. ### Final Thoughts The TrickMo variant using TON and SOCKS5 is a reminder that cyber threats keep evolving. Attackers are adopting decentralized technologies to make their malware more resilient. Staying safe means staying informed and following basic security hygiene. Keep your apps updated, watch what you install, and never grant unnecessary permissions. A little caution goes a long way.