TrickMo Variant Exploits TON C2 and SOCKS5 to Forge Android Banking Pivots

TrickMo Variant Harnesses TON C2 for Android Banking Attacks

The latest TrickMo Android banking trojan, identified by ThreatFabric between ↓ 2 months, now routes commands through The Open Network (TON) and employs SOCKS5 proxies to create resilient network pivots on compromised devices.

Target Landscape Expands Across Europe

Researchers observed active campaigns against users of banking apps and cryptocurrency wallets in ↑ 3 nations – France, Italy and Austria – where victims report unauthorized transactions.

“The integration of TON C2 markedly raises the operational stealth of TrickMo, complicating detection for conventional security tools,” said a senior analyst at Reuters.

Technical analysis reveals that the malware loads a runtime‑generated APK module (dex.module) before establishing the proxy tunnel, allowing threat actors to relay traffic and exfiltrate credentials.

Security teams are advised to monitor anomalous TOR‑like traffic and enforce multi‑factor authentication on financial platforms, as highlighted in a recent Bloomberg briefing.

Intel provided by Kaelen Frost (Lead Cybersecurity Analyst).