TrickMo Android Banking Malware Uses TON Blockchain for Stealthy C2, Targeting European Banking Users
What Happened — A new variant of the TrickMo Android banking trojan (tracked as TrickMo.C) was observed using The Open Network (TON) blockchain for its command‑and‑control (C2) traffic. The malware is distributed in fake TikTok/streaming apps and adds a suite of network‑utility commands (curl, ping, SSH tunneling, SOCKS5 proxy, etc.) to facilitate credential theft and remote access.
Why It Matters for TPRM —
- The TON overlay makes traditional domain‑based takedowns ineffective, increasing persistence risk for any third‑party mobile app supply chain.
- Enhanced C2 capabilities enable broader data exfiltration and lateral movement, raising the threat profile of vendors that develop or host Android applications.
- The use of decentralized identifiers (.adnl) hampers network‑edge detection, requiring updated monitoring controls.
Who Is Affected — Financial services (banks, payment processors) and cryptocurrency wallet providers in France, Italy, and Austria; any organization that relies on Android‑based mobile banking or payment apps supplied by third‑party developers.
Recommended Actions —
- Review all third‑party Android app providers for exposure to TrickMo variants.
- Enforce strict mobile app vetting, code‑signing verification, and runtime integrity checks.
- Deploy network detection that can identify TON traffic patterns or anomalous encrypted flows.
- Update endpoint protection policies to flag known TrickMo signatures and sandbox suspicious APKs.
Technical Notes — The malware embeds a local TON proxy, routing C2 over .ADNL addresses that bypass DNS. New commands include curl, dnsLookup, ping, telnet, traceroute, SSH tunneling, remote/local port forwarding, and authenticated SOCKS5 proxy support. Payload delivery relies on phishing overlays within popular‑looking apps. Source: BleepingComputer