THREATFABRIC researchers have identified a new TrickMo Android banking Trojan variant that reengineers its underpinnings for stealth, resilience and operator reach, migrating its command-and-control traffic off the conventional internet and onto The Open Network (TON).
According to ThreatFabric, the latest version keeps the on-device feature set largely the same, but the network layer has been transformed to use TON, with the bot’s C2 traffic now routed through a decentralised peer-to-peer overlay originally built for Telegram. The variant was found in campaigns targeting banking and cryptocurrency wallet users in France, Italy and Austria between January and February 2026, and appears to be gradually supplanting older TrickMo variants.
Beyond its modular launcher/persistence architecture, TrickMo now includes a network-operative subsystem and capabilities such as DNS lookups, ping, traceroute, and HTTP requests executed from the device, effectively turning infected phones into reconnaissance tools within networks. It also adds SSH tunneling and authenticated SOCKS5 proxying, enabling traffic to exit via the victim’s own network, which can obscure fraudulent activity. Researchers noted inactive components linked to NFC permissions and a Pine hooking framework, signalling a platform built for future updates.