Executive Summary
In early 2026, a new variant of the TrickMo Android banking trojan emerged, leveraging The Open Network (TON) for command-and-control (C2) communications. This variant, observed by ThreatFabric between January and February 2026, actively targeted banking and cryptocurrency wallet users in France, Italy, and Austria. By utilizing TON's decentralized infrastructure, the malware effectively evaded traditional domain takedown efforts, complicating mitigation strategies. (infosecurity-magazine.com)
The adoption of TON for C2 communications signifies a broader trend among threat actors toward decentralized platforms to enhance stealth and resilience. This evolution underscores the need for security teams to adapt detection and response strategies to address threats that exploit decentralized networks. (securityaffairs.com)
Why This Matters Now
The integration of decentralized networks like TON into malware C2 infrastructures represents a significant shift in cybercriminal tactics, making traditional mitigation efforts less effective. Security teams must promptly adapt to these evolving threats to protect sensitive financial data and maintain robust cybersecurity defenses. (bleepingcomputer.com)
Attack Path Analysis
The TrickMo Android banking trojan variant, disguised as TikTok or streaming apps, was distributed via phishing websites and dropper applications, leading to initial device compromise. Upon installation, it exploited Android's accessibility services to gain elevated privileges, enabling extensive control over the device. The malware then established a command-and-control channel through The Open Network (TON), facilitating covert communication with its operators. Utilizing its elevated privileges, TrickMo conducted network reconnaissance and established SOCKS5 proxies, allowing lateral movement within connected networks. It exfiltrated sensitive data, including banking credentials and personal information, to attacker-controlled servers. The impact included unauthorized financial transactions, data theft, and potential further exploitation of compromised networks.
Kill Chain Progression
Initial Compromise
Description
TrickMo was distributed via phishing websites and dropper applications, masquerading as legitimate TikTok or streaming apps, leading to the initial compromise of Android devices.
MITRE ATT&CK® Techniques
Obfuscated Files or Information
Download New Code at Runtime
Application Discovery
Application Layer Protocol: Web Protocols
Alternate Network Mediums
Screen Capture
Input Injection
Event Triggered Execution: Broadcast Receivers
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that all system components and software are protected from known vulnerabilities by installing applicable security patches
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Device Security
Control ID: Pillar 3: Devices
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
TrickMo banking trojan directly targets banking users with TON C2 infrastructure, requiring enhanced egress security and zero trust segmentation to prevent credential theft and unauthorized transactions.
Financial Services
Android banking trojan's runtime-loaded APK attacks threaten financial institutions across France, Italy, Austria, necessitating improved mobile security and anomaly detection for customer protection.
Telecommunications
TrickMo's SOCKS5 network pivots exploit mobile infrastructure vulnerabilities, demanding encrypted traffic monitoring and east-west traffic security to prevent lateral movement through telecom networks.
Computer Software/Engineering
Runtime APK loading techniques in TrickMo variant highlight mobile application security gaps, requiring enhanced threat detection capabilities and secure development practices for Android platforms.
Sources
- New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivotshttps://thehackernews.com/2026/05/new-trickmo-variant-uses-ton-c2-and.htmlVerified
- TrickMo Variant Routes Android Trojan Traffic Through TONhttps://www.infosecurity-magazine.com/news/trickmo-c-ton-network-android/Verified
- TrickMo Android banker adopts TON blockchain for covert commshttps://www.bleepingcomputer.com/news/security/trickmo-android-banker-adopts-ton-blockchain-for-covert-comms/Verified
- TrickMo Android Trojan Exploits Accessibility Services for On Device Banking Fraudhttps://www.youtube.com/watch?v=w9Cpf1XV6QMVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the malware's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Aviatrix CNSF would likely not prevent the initial device compromise through phishing, as it primarily focuses on network-level controls rather than endpoint protection.
Control: Zero Trust Segmentation
Mitigation: While Aviatrix Zero Trust Segmentation primarily focuses on network-level controls, it could potentially limit the malware's ability to communicate with other network segments, thereby reducing the risk of privilege escalation through network-based attacks.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely limit the malware's ability to move laterally by enforcing strict segmentation and monitoring internal traffic patterns.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control would likely detect and limit unauthorized command-and-control communications by monitoring and controlling outbound traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit data exfiltration by controlling and monitoring outbound traffic to unauthorized destinations.
Aviatrix Zero Trust CNSF would likely reduce the scope of unauthorized financial transactions and data theft by limiting the malware's ability to communicate with external servers and move laterally within the network.
Impact at a Glance
Affected Business Functions
- Online Banking Services
- Mobile Payment Processing
- Cryptocurrency Wallet Management
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of banking credentials, one-time passwords (OTPs), and personal identification numbers (PINs) of users in France, Italy, and Austria.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict application-to-application communication, limiting malware's ability to move laterally within networks.
- • Enhance East-West Traffic Security to monitor and control internal network traffic, detecting and preventing unauthorized lateral movement.
- • Deploy Egress Security & Policy Enforcement to control outbound traffic, preventing malware from establishing external command-and-control channels.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into network traffic across cloud environments, identifying and mitigating anomalous activities.
- • Strengthen Threat Detection & Anomaly Response capabilities to detect and respond to malicious activities promptly, minimizing potential damage.
