Researchers at ThreatFabric have identified a new variant of the TrickMo banking trojan, specifically targeting Android users across Europe. This variant, known as TrickMo.C, has been under observation since January 2026 and is particularly insidious in its operations.
How TrickMo.C Operates
Disguised as popular applications such as TikTok and various streaming services, TrickMo.C employs a range of tactics to compromise user security. Once installed, it creates a phishing overlay that enables it to harvest login credentials and other sensitive information. The trojan is capable of logging keystrokes, recording the screen, and even livestreaming content directly to its operators. Additionally, it can intercept SMS messages, suppress one-time password (OTP) notifications, modify the clipboard, filter notifications, and capture screenshots.
This sophisticated approach allows attackers to gain unauthorized access to victims’ bank accounts and cryptocurrency wallets, facilitating payments and wire transfers while keeping users unaware of the breach. The primary targets of this malicious software are located in France, Italy, and Austria.
Unique Communication Methods
What distinguishes TrickMo.C from its predecessors is its use of the TON network, a decentralized peer-to-peer system originally developed for the Telegram ecosystem. This method of communication allows the trojan to operate without relying on publicly exposed servers, instead utilizing an encrypted overlay network for interaction with its operators. The attackers employ ADNL addresses routed through a local TON proxy embedded within the infected device, enhancing their anonymity and complicating detection efforts.
