Android Banking Trojan TrickMo Shifts C2 to TON Blockchain, Targeting European Banking Users
What Happened — ThreatFabric discovered a new version of the Android banking trojan TrickMo that now routes its command‑and‑control (C2) traffic through The Open Network (TON) blockchain. The malware retains its original banking‑credential stealing modules but uses a decentralized, peer‑to‑peer overlay to hide operator communications.
Why It Matters for TPRM —
- Malware that leverages public blockchain infrastructure evades traditional network‑based detections, increasing the risk of credential theft from third‑party mobile apps.
- Financial‑service providers and fintech partners that allow Android app integrations may inadvertently expose customers to this stealthy trojan.
- The modular design enables rapid feature updates without redeployment, meaning new capabilities can appear in the wild without prior notice.
Who Is Affected — Financial services (banking, crypto‑wallet providers), mobile‑app developers, and any organization that relies on Android‑based customer‑facing applications in Europe (France, Italy, Austria).
Recommended Actions —
- Review all third‑party Android applications used by your organization for secure coding and anti‑tampering controls.
- Enforce mobile device management (MDM) policies that detect anomalous network traffic to blockchain nodes.
- Conduct threat‑modeling of C2 channels that could use decentralized networks and update detection signatures accordingly.
Technical Notes — TrickMo’s launcher persists on the device and downloads additional modules on demand. The new C2 layer replaces conventional domains with TON’s peer‑to‑peer routing, making traffic appear as legitimate blockchain activity. No new CVEs are disclosed, but the shift to a decentralized network complicates sink‑hole and takedown efforts. Source: https://securityaffairs.com/192003/malware/android-banking-trojan-trickmo-evolves-using-ton-network-for-c2.html