TrickMo Android Banking Trojan Variant Uses TON C2 and SOCKS5 to Pivot Networks, Targeting Users in France, Italy, and Austria
What Happened — Researchers identified a new TrickMo Android banking trojan that leverages The Open Network (TON) for command‑and‑control and establishes SOCKS5 proxies to pivot traffic through infected devices. The variant was active in early 2026 and specifically targeted banking and cryptocurrency wallet users in France, Italy, and Austria.
Why It Matters for TPRM —
- Mobile‑based credential theft can compromise downstream financial services and crypto platforms.
- The use of TON C2 makes detection harder for traditional network monitoring tools.
- SOCKS5 pivots enable attackers to route additional malicious traffic, expanding the attack surface of any third‑party mobile‑app ecosystem.
Who Is Affected — Financial services, cryptocurrency exchanges, and any SaaS providers that integrate with mobile banking or wallet apps in the affected European regions.
Recommended Actions —
- Review any third‑party mobile app vendors for secure development practices and anti‑malware controls.
- Enforce mobile device management (MDM) policies that block unknown C2 protocols (e.g., TON).
- Conduct threat‑modeling for SOCKS5 proxy abuse and monitor network traffic for anomalous outbound connections.
Technical Notes — The trojan loads a runtime‑generated APK module (dex.module) to evade static analysis, communicates with C2 over TON’s decentralized network, and sets up a SOCKS5 proxy to relay traffic from compromised devices. No public CVE is associated; the threat is driven by malware techniques rather than a software vulnerability. Source: The Hacker News