.jpg "New TrickMo Android Banking Malware Variant Targets Europe")
New TrickMo Android Banking Malware Variant Targets Europe
- A new variant of the TrickMo Android banking malware has integrated The Open Network (TON) blockchain to facilitate covert command-and-control communications, according to research released May 11, 2026.
- The malware is distributed through campaigns where it is disguised as streaming applications or TikTok.
- The primary technical innovation in this variant is the use of .ADNL addresses for communication.
A new variant of the TrickMo Android banking malware has integrated The Open Network (TON) blockchain to facilitate covert command-and-control communications, according to research released May 11, 2026. The variant, tracked as Trickmo.C by ThreatFabric, targets users in France, Italy, and Austria, specifically aiming to compromise banking and cryptocurrency wallets.
The malware is distributed through campaigns where it is disguised as streaming applications or TikTok. Once installed, it employs a redesigned network layer to hide its communication with operators, moving traffic away from the conventional internet.
The primary technical innovation in this variant is the use of .ADNL addresses for communication. These addresses are routed through a local TON proxy that is embedded directly on the infected device. TON is a decentralized peer-to-peer network originally developed for the Telegram ecosystem, which enables devices to communicate via an encrypted overlay network rather than using publicly exposed internet servers.
By utilizing a 256-bit identifier instead of a standard domain, the malware masks the communication port and the IP address of the server. This architectural choice makes the operator’s infrastructure significantly more difficult for security researchers to identify, block, or dismantle.
ThreatFabric noted that this shift renders standard mitigation strategies obsolete.
Traditional domain takedowns are largely ineffective because the operator’s endpoints do not rely on the public DNS hierarchy and instead exist as TON .adnl identities resolved inside the overlay network itselfThreatFabric
ThreatFabric characterizes Trickmo.C not as a rewrite of the malware’s capabilities, but as a substantial platform redesign. While the on-device feature set remains largely unchanged from previous versions, the underlying platform has been re-engineered to increase stealth, resilience, and the reach of the operator.
In addition to the network layer changes, several other core components of the malware have been overhauled, including:
- The loader stage
- The configuration store
- The application identity
- The scope of operator commands
Telemetry and infrastructure observations indicate that this new variant is progressively replacing previous versions of TrickMo across active campaigns.
The TrickMo banking trojan has been in active development since it was first identified in September 2019. It has a history of constant updates to evade detection and expand its targeting capabilities.
In October 2024, Zimperium conducted an analysis of the malware, identifying 40 different variants delivered through 16 droppers. That analysis revealed the malware was communicating with 22 distinct command-and-control infrastructures to target sensitive user data on a global scale.
The evolution toward blockchain-based communication reflects a broader trend in Android banking malware, where operators prioritize architectural redesigns to improve operational flexibility and resilience against improving platform protections and detection measures.