A new variant of the TrickMo Android banking trojan has moved its primary command-and-control (C2) transport onto The Open Network (TON) Blockchain, routing communications through the decentralized overlay’s .adnl identities to make traditional domain takedowns largely ineffective.
The variant, identified by ThreatFabric and labeled TrickMo C, was tracked between January and February 2026 in active campaigns against banking and wallet users in France, Italy and Austria, according to new analysis from the firm’s Mobile Threat Intelligence Team.
Telemetry indicated the variant was progressively replacing its predecessor across operator campaigns, with TikTok-themed lures circulated via Facebook ads.
TrickMo is a device-takeover trojan that abuses Android’s accessibility service to give operators a real-time interactive view of the compromised handset.
Its capabilities include credential phishing via WebView overlays, keylogging, screen streaming, full bidirectional remote control and silent suppression of one-time-password (OTP) notifications.
A Decentralized C2 Built on TON
The single largest change in the variant is the network layer. ThreatFabric said the host APK starts an embedded native TON proxy on a loopback port at process launch and wires the bot’s HTTP client through it, so every C2 request is addressed to an .adnl hostname and resolved within the TON overlay rather than through public DNS.
The handful of clearnet lookups the bot still performs are routed through a public DNS-over-HTTPS endpoint, so even those queries never reach the device’s local resolver.
The researchers said the design makes traditional domain takedowns largely ineffective, since operator endpoints exist as TON identities resolved inside the decentralized network. At the network edge, traffic appears indistinguishable from any other TON-enabled application’s output.
The Open Network is a legitimate decentralized platform originally built for Telegram, and ThreatFabric stressed that its use by TrickMo’s operators reflects abuse by a third party rather than any involvement by the TON project.
Devices Recast as Programmable Network Pivots
The variant also introduces a network-operative subsystem that turns infected handsets into programmable pivots.
Five operator commands run curl, dnslookup, ping, telnet and traceroute primitives from the device’s vantage point, giving the operator a shell-equivalent for reconnaissance inside any corporate or home network the handset is attached to.
A second set of commands provides socket-level tunneling through an embedded SSH client and an on-device SOCKS5 proxy with username and password authentication.
Chained together, ThreatFabric said the result is an authenticated programmable network exit on the victim’s device whose outbound traffic appears to originate from the victim’s IP, defeating IP-based fraud detection.
The variant also declares full NFC permissions and bundles the Pine hooking framework, although neither is exercised in the current code. ThreatFabric assessed both as reserved capabilities, provisioned in the host for runtime delivery later.
