TrickMo’s New Trick: Android Banking Malware Turns to TON for Stealth

Introduction

Mobile banking malware rarely stands still for long, but TrickMo’s latest variation shows a sharper kind of adaptation. The family is now linked to campaigns aimed at users across Europe, and the newly observed build adds commands while using TON-based communications to keep contact with its operators. That combination matters because it shows an attacker toolkit designed not just to infect phones, but to keep those infections useful after detection pressure rises.

Fast Facts

• TrickMo is an Android banking malware family.
• A new variant has been linked to campaigns targeting users across Europe.
• The variant introduces new commands, suggesting active development.
• It uses The Open Network, or TON, for covert command-and-control communications.
• At this stage, the complete operator identity and impact scope remain unconfirmed.

Body

The technical significance is not just that TrickMo changed, but how it changed. New commands usually mean a malware family is being extended for fresh tasks: receiving instructions, adjusting behavior, or supporting additional operator workflows. In practical terms, that can make a trojan more flexible and harder to map with older detection logic.

Using TON for covert command-and-control is the more unusual move. Public blockchain and network layers can give criminals an infrastructure option that is harder to treat like a normal hosting problem. Instead of depending only on a small set of obvious servers, the malware’s communications may be tied to a broader platform that defenders cannot block as simply. That does not make the malware invisible, but it can complicate takedown, filtering, and rapid attribution.

For defenders, the lesson is to think beyond the app itself. A banking trojan is often only the visible tip of the operation; the real risk lies in what it can do once it has a foothold on the device. Even without confirmed details about every capability in this wave, the combination of a mobile banker, new commands, and covert communications points to an operator effort focused on persistence and control.

Public information has not fully established the technical root cause, the complete scope of affected users, or whether downstream systems were compromised.

That caution matters. Android banking malware often relies on user trust, permission abuse, and rapid infrastructure changes. When an operator starts using less conventional channels like TON, defenders need stronger device hygiene, tighter app-install controls, and behavior-based monitoring rather than relying only on blocklists.

Conclusion

TrickMo’s latest evolution is a reminder that modern mobile malware is becoming an infrastructure problem as much as an endpoint problem. The real takeaway is simple: when attackers can change both their payload and their communications layer, defenders have to watch the whole chain, not just the phone screen.

WIKICROOK

• Android banking malware: Malicious software built to steal financial credentials or control banking sessions on Android devices.
• Command-and-control (C2): The channel malware uses to receive instructions from operators and send back data.
• Variant: A modified version of malware that adds, removes, or changes capabilities.
• TON: The Open Network, a blockchain and networking platform used here as the basis for covert malware communications.
• Detection logic: Security rules, analytics, or behavioral checks used to spot suspicious activity.