TrickMo Android Malware Now Hides Commands on TON Blockchain

Michael Miller · 2026-05-11

A dangerous new variant of the TrickMo Android banking malware is targeting users across Europe, and it's using a surprising trick to stay hidden: The Open Network (TON) blockchain. Instead of relying on traditional command-and-control servers that security teams can easily shut down, this malware hides its instructions inside blockchain transactions. That makes it much harder to detect and block. This isn't just a small update. The new version of TrickMo adds fresh commands that give attackers more control over infected devices. And by moving its communications to TON, the malware is borrowing a page from legitimate crypto projects to stay under the radar. ### How TrickMo Uses Blockchain for Stealth Most malware communicates with a central server to receive commands or steal data. That creates a single point of failure. Once security researchers find that server, they can take it offline. But TrickMo's new approach is different. - It uses the TON blockchain to store encrypted commands. - The malware reads these commands directly from the blockchain. - There's no central server to shut down, making takedowns nearly impossible. Think of it like hiding a secret message in a public library. Anyone can see the library, but only someone with the right key can find and read your note. That's exactly what TrickMo is doing with TON. ### New Commands Give Attackers More Power This variant doesn't just hide better. It also comes with new capabilities that make it more dangerous for anyone using Android devices. One of the most concerning additions is the ability to intercept two-factor authentication codes. If you use SMS-based 2FA for your bank account or email, TrickMo can grab those codes before you even see them. That means attackers can bypass one of the most common security measures. The malware can also: - Steal login credentials from banking apps. - Capture on-screen content to see what you're typing. - Display fake login screens that look identical to real banking apps. All of this happens silently in the background. You might not notice anything wrong until you check your bank balance. > "By moving its command-and-control to the TON blockchain, TrickMo has made itself significantly harder to disrupt through traditional takedown methods." ### Why This Matters for Android Users If you're in the United States, you might think this European campaign doesn't affect you. But malware like TrickMo often spreads globally. Security researchers have already found similar techniques being tested in other regions. The key takeaway is simple: Android banking malware is getting smarter. Using blockchain for stealth is a new trend that we'll likely see more of in the coming years. To protect yourself, stick to official app stores, avoid sideloading apps from unknown sources, and consider using a hardware security key instead of SMS-based 2FA. And if your bank offers app-based authentication, use that instead of text messages. ### What Security Teams Are Doing Tracking malware that hides on a blockchain is a whole new challenge. Traditional methods like IP blocking or domain takedowns don't work here. Instead, researchers are monitoring TON transactions for suspicious patterns and working with blockchain analytics firms to identify command messages. It's a cat-and-mouse game, and the mice just got a lot harder to catch. But by understanding how TrickMo operates, security teams can build better defenses. Stay vigilant. Keep your apps updated. And remember that even the most sophisticated malware can be stopped if you follow basic security practices.