What Is TrickMo and Why It Matters for Android Banking Security
TrickMo is an Android banking trojan designed for full device takeover, focusing on stealing credentials and bypassing protections around financial accounts. Active since around 2019, it abuses Android’s accessibility services to hijack one-time passwords and intercept SMS messages, allowing attackers to defeat common forms of two-factor authentication. Beyond credential theft, TrickMo malware can log keystrokes, record and stream the screen in real time, and enable complete remote control of an infected phone. This makes it one of the most dangerous mobile security threats for users who rely on their smartphones for online banking, e‑commerce, or cryptocurrency wallets. The latest TrickMo C variant shifts from being just an Android banking trojan to a more powerful device takeover platform, expanding its toolset for spying, lateral movement, and covert networking. For everyday users, this means a single compromised Android device can expose banking data, personal communications, and even corporate networks accessed from that phone.
How TrickMo Uses TON Blockchain for Stealthy Command and Control
The newest TrickMo variant introduces an unusual technique: it leverages The Open Network (TON) blockchain infrastructure for its command-and-control traffic. Instead of talking to a traditional server using standard DNS and public internet routes, the malware embeds a native TON proxy that starts automatically on the device’s loopback interface. TrickMo then routes its HTTP-based command-and-control requests through this local proxy to special .adnl hostnames that are resolved via the TON overlay network. This design allows its blockchain command control channel to blend into normal TON-related traffic, making it harder for conventional security tools and network filters to detect or block. It also complicates takedown efforts, because the infrastructure is partially decentralized and does not depend on a single, easily blacklisted server. In practice, this gives attackers a resilient and stealthy way to push new modules, commands, and updates to infected Android phones without drawing attention.
SOCKS5 Proxies and Network Pivoting: Turning Phones into Attack Platforms
Beyond its blockchain integration, TrickMo now includes a network-operative subsystem that significantly extends its usefulness to attackers. The malware loads a secondary APK at runtime and exposes tools such as curl, ping, telnet, traceroute, and DNS lookups, effectively acting as a remote shell for network reconnaissance. The most concerning enhancement is TrickMo’s SOCKS5 proxy capability, which converts an infected Android device into a traffic exit node. By tunnelling malicious connections through a victim’s phone, attackers can make their banking or cryptocurrency fraud attempts appear as if they originate from the victim’s home or corporate network. TrickMo also supports SSH tunnelling, further enabling network pivoting into internal environments the phone can reach. This combination undermines IP-based fraud detection, complicates incident response, and means a compromised device is not just a victim but also a launchpad for broader attacks against online banking and other sensitive services.
How TrickMo Infects Devices and Bypasses Traditional Detection
The TrickMo C variant is typically delivered through deceptive dropper apps rather than direct downloads of the main malware. These droppers masquerade as adult-themed versions of popular apps and are often promoted through social media advertisements. Once installed, the dropper retrieves and loads a hidden dex.module APK at runtime from attacker-controlled infrastructure. This modular approach allows the malware to fetch updated capabilities on demand while keeping the initial app relatively clean, helping it slip past basic checks. The core TrickMo component then disguises itself as legitimate system software, such as Google Play Services, and requests extensive permissions, including accessibility access, to gain deep control. While some offensive features like NFC-related functions and Pine hooking appear dormant, their presence suggests ongoing development. Because much of its communication traverses the TON-based proxy and SOCKS5 channels, normal network filters and IP or domain-based blocking alone are insufficient to reliably spot TrickMo’s activity.
Protecting Your Android Banking Data Against TrickMo and Similar Threats
Defending against an advanced Android banking trojan like TrickMo requires both technical safeguards and cautious behavior. Users should avoid installing apps from untrusted links, especially those promoted through ads or promising modified or adult versions of popular platforms. Stick to reputable app stores and scrutinize permissions, rejecting any app that unnecessarily requests accessibility access or broad device control. Enabling multi-factor authentication on banking, e‑commerce, and cryptocurrency accounts remains essential, and app-based or hardware-based authenticators are preferable to SMS codes that malware can intercept. Regularly review bank and card statements as well as mobile banking activity for unfamiliar transactions or login alerts. Consider enabling security features such as Play Protect and using a respected mobile security suite with behavior-based detection. Finally, if your device shows unusual prompts, accessibility notifications, or unexplained network activity, treat it as a possible compromise and consult your bank and a trusted security professional before continuing to use mobile banking on that phone.