Modern Android banking malware is undergoing a transformation, focusing on architectural enhancements aimed at increasing stealth, resilience, and operational flexibility. As security measures evolve, malware operators are responding by refining their communication layers, modularizing functionalities, and bolstering persistence and remote-control capabilities.
In early 2026, the Mobile Threat Intelligence Team identified a new variant of the TrickMo Android banking trojan, which is currently in active distribution. This variant represents a significant evolution of its predecessor, maintaining a similar on-device feature set while undergoing a comprehensive re-engineering for improved stealth and operator reach. A notable change is the relocation of the bot’s command-and-control traffic from the conventional internet to The Open Network (TON). Alongside this, various components—including the loader stage, configuration store, application identity, and operator command scope—have been systematically overhauled. This variant is characterized not by new capabilities but by a substantial redesign of its underlying platform.
Key Insights
- A new TrickMo variant has been identified, actively targeting banking and wallet users in France, Italy, and Austria.
- Telemetry data indicates that this variant is progressively replacing its predecessor in ongoing operator campaigns.
- The primary command-and-control channel has transitioned to The Open Network (TON), utilizing .adnl endpoints routed through an embedded local TON proxy.
- TrickMo employs a runtime-loaded APK (dex.module), similar to the previous version but enhanced with new network-oriented functionalities such as reconnaissance, SSH tunneling, and SOCKS5 proxying, enabling infected devices to act as programmable network pivots and traffic exit nodes.
An Ongoing Threat
TrickMo is classified as Device Take Over (DTO) malware, specifically targeting banking, fintech, wallet, and authenticator applications on Android devices. Once users grant accessibility-service permission—often coerced by the bot’s on-device automation—operators gain real-time interactive control over the device.
The malware’s capabilities include:
- Credential phishing via fullscreen WebView overlays that mimic legitimate banking apps.
- Keylogging to capture typed text and field metadata associated with the active application.
- Screen recording and live streaming of the device’s display.
- Full bidirectional remote control through a channel that replicates operator-issued gestures and inputs via the accessibility service.
- Real-time SMS and notification interception, including silent suppression of one-time-password push messages.
- On-device network pivoting, transforming the infected device into a programmable network exit node.
Throughout the reporting period, multiple parallel campaigns targeting banking and wallet customers were observed in France, Italy, and Austria, as indicated by the campaign tags present in each bot’s telemetry.
| Tag | Description | Region |
| LS | App named “Live Streaming” | Undetermined |
| TicItalyFB | TikTok campaign over Facebook | Italy |
| TicFranceFB | TikTok campaign over Facebook | France |
| Tic_AT | TikTok Campaign | Austria |
| TikTok | TikTok Campaign | Undetermined |
A TON of New Features
A C2 Communication Overhaul
The most significant architectural change in TrickMo is its migration away from conventional internet communication. The primary command-and-control transport now operates over The Open Network (TON), a decentralized peer-to-peer overlay network originally designed for Telegram. This network features its own routing and naming layer (ADNL), allowing hosts to be addressed by opaque base32 strings rather than traditional DNS or IP addresses.
It is important to note that The Open Network (TON) is a legitimate decentralized networking and blockchain platform with various lawful applications. Its use by TrickMo does not imply any malicious intent or involvement from the TON project or its developers.
TrickMo incorporates an embedded native TON proxy, which the host APK initiates on a loopback port at startup. The bot’s HTTP client routes all outbound command-and-control requests through this proxy, ensuring that communications are directed to .adnl hostnames resolved within the TON overlay. This design effectively shields the operator from traditional domain takedown efforts, as their endpoints are not reliant on public DNS hierarchies.
A Modular Architecture – Improved Over Time
While TrickMo has been documented previously, earlier reports did not adequately describe its modular architecture beyond occasional mentions of a loadModule command. Our analysis revealed an externally downloaded DEX module utilized by the malware, with samples traced back to December 2024. This module is selectively delivered to devices based on geographic filtering, indicating a strategic approach to infections.
The host APK primarily functions as a launcher and persistence layer, while offensive capabilities are delivered through the dynamically loaded APK named “dex.module“, fetched from operator infrastructure at runtime. This module encompasses the malware’s core accessibility-driven remote control functionality via a socket.io-based channel, facilitating low-latency sessions.
Additionally, the previous version employed hooking using the Pine framework, which has also been observed in other malware families, to intercept networking calls and interactions with Google’s Firebase Cloud Messaging.
The Differences in the New Variant
Network Reconnaissance and Tunneling — Entirely New
The most significant functional enhancement in this variant is the introduction of a network-operative subsystem. Five operator commands execute network primitives from the device’s perspective, returning results upstream:
| Command | Description |
| curl | Full curl-CLI HTTP probe (any method, headers, body) |
| dnslookup | Platform-resolver DNS lookup for any hostname |
| ping | ICMP echo via the platform’s /system/bin/ping |
| telnet | TCP-connect probe with timeout, multi-port supported |
| traceroute | Route trace via the platform’s /system/bin/traceroute |
Together, these commands provide the operator with a remote shell-equivalent for network reconnaissance, including visibility into any internal corporate or home network the device is connected to. The dnsLookup command deliberately utilizes the platform resolver, allowing the operator to see what the device’s network perceives for a given name.
This subsystem also enables socket-level tunneling through an embedded SSH client. An SSH local-forward tunnel allows the operator to open a device-side port that forwards to a reachable host. Conversely, an SSH remote-forward tunnel allows the operator’s SSH server to listen on a port that connects back into the device’s network, granting access to the corporate or home LAN. Additionally, an on-device SOCKS5 proxy with user-and-password authentication transforms the infected device into a programmable network exit node, enabling outbound traffic to appear as if it originates from the victim’s IP address, thereby circumventing IP-based fraud detection mechanisms.
Method Hooking — Declared but Unused
The Pine hooking framework remains included in the host APK and is initialized at startup, yet there are no active hook installations present in the static code base. The runtime patches against the host’s HTTP and Firebase paths from the previous variant have been removed, with no replacements implemented. This suggests a pattern of reserving capabilities in the host for potential future use.
NFC Permissions Declared but Unused
The manifest includes comprehensive NFC permissions—basic NFC, preferred-payment-information, and transaction-event—but no reachable NFC code has been found in either stage. This aligns with the broader pattern of provisioning capabilities that are not actively utilized, allowing operators to filter device inventories based on NFC capability without committing to functionality on the device side.
Appendix
Indicators of Compromise
| SHA-256 | Package Name | Application Name | Role |
| 01889a9ec2abecb73e5e8792be68a4e3bc7dcbe1c3f19ac06763682d63aa8c21 | com.app16330.core20461 | TikTokApp18+ | Trickmo Dropper |
| 177ef86c57c31b29850227dbc8288b735bea977587f2f0a49cfc4089a644a2c4 | com.app15318.core1173 | TikTokApp18+ | Trickmo Dropper |
| e2e218ddf698b4c0099fd2a9619d6912a71f75beb51669a4e3ae4fc71f745d03 | uncle.collop416.wifekin78 | Google Play Services | Trickmo Host Application |
| 749bbcbc3e5d2d524344d52b6471dfa7b8d3ecdeb0b11ab82c843d497a056c8f | nibong.lida531.butler836 | Google Play Services | Trickmo Host Application |
| 143c0e12d2aa1bdecde59f273139dd5605d00f61cda7f626224e07390119c026 | dex.module | – | Dex Module (old variant) |
| 4cd8635062ff6b0885216a0b1658ebcb2938b670f7ac08ecb0b5fb85d8973ea0 | dex.module | – | Dex Module (new variant) |
Bot Commands
Commands in green are exclusive to the English fork, while commands in red are exclusive to the Turkish fork.
| Commands | Description |
| startVnc | Start authenticated VNC channel (requires keyId + signature) |
| stopVnc | Stop VNC channel |
| startLocalTunnel | Start SSH local-forward tunnel (device port → SSH server) |
| startTunnel | Start SSH remote-forward tunnel (tcpip-forward) |
| stopTunnel | Stop active SSH tunnel |
| startSocks5Proxy | Start on-device SOCKS5 proxy with user/password auth |
| stopSocks5Proxy | Stop on-device SOCKS5 proxy |
| startRecord | Start gesture/screen-activity recording for target packages |
| curl | Execute arbitrary HTTP request (full curl CLI parser) |
| dnsLookup | Resolve hostname from device |
| ping | ICMP ping via /system/bin/ping |
| telnet | TCP port-connect check (multi-port, with timeout) |
| traceroute | Route trace via /system/bin/traceroute |
| uploadArchive | Exfiltrate files filtered by extension/date as multipart |
| getScreenshot | Capture single screenshot via virtual display |
| startScreenshotStreaming | Stream continuous screen frames over VNC |
| stopScreenshotStreaming | Stop screenshot streaming |
| setNotificationFilter | Set regex (MMKV “202”) for auto-cancelling notifications by package |
| setGestureConfig | Configure target packages + upload URL + timeout for gesture recording |
| setKeyLoggerConfig | Set keylogger mode (all/allowlist/blocklist) and target list |
| setVars | Bulk-update arbitrary settings keys |
| setSwitch | Toggle remote feature flags (e.g., clicker on/off) |
| setServers | Update the rotation “Servers” list |
| openAppSettings | Navigate to app info settings |
| openNotificationSettings | Navigate to notification settings |
| openSetNewPasswordSettings | Navigate to set-password intent |
| getInstalledApps | Enumerate installed packages (auto-emitted at module load) |
| getState | Return structured device state JSON (permissions, memory, filter config) |
| getUsageStats | UsageStats + UsageEvents for the past month |
| configureScreenBrightness | Set screen brightness |
| setRingerMode | Set ringer mode (silent/vibrate/normal) |
| runApp | Launch app by package name |
| openUrl | Launch URL via VIEW intent |
| setClipboardText | Set clipboard contents (operator-driven) |
| forceConnection | Force immediate event-queue flush |
| testModule / testModuleError | Health-check entry points |