TrickMo, the notorious Android banking malware, has made a notable comeback with a revamped architecture that significantly enhances its stealth and operational capabilities. This latest variant is now targeting a wider array of applications, including banking, fintech, wallet, and authenticator apps, while focusing on backend improvements rather than introducing new user-facing features.
The malware retains its core device takeover (DTO) abilities but has been upgraded to improve its stealth, persistence, and flexibility in operations. Once installed, TrickMo employs aggressive tactics to persuade users to grant accessibility permissions, thereby allowing attackers full remote control over infected devices. This includes real-time screen viewing and interaction, which poses a substantial risk to users’ sensitive information.
One of the most significant advancements in this iteration is its command-and-control (C2) communication. TrickMo has transitioned from traditional internet infrastructure to The Open Network (TON), a decentralized peer-to-peer network. This shift not only enhances its operational security but also complicates traditional takedown strategies, as malicious traffic can now seamlessly blend with legitimate TON usage.
TrickMo Android Malware
Security researchers from Threat Fabric have tracked this new variant, which has been actively deployed in campaigns across France, Italy, and Austria since early 2026. The malware’s ability to display fake login overlays when users access legitimate banking apps allows it to capture credentials while quietly recording user activity in the background.
Instead of relying on standard domains or IP addresses, TrickMo communicates through .adnl endpoints resolved within the TON network. When access to the regular internet is limited, it employs DNS-over-HTTPS (DoH) to ensure that DNS queries remain encrypted and concealed from local monitoring systems.
The modular design of TrickMo continues to play a crucial role in its functionality. The primary application serves as a loader and persistence mechanism, while its core malicious capabilities are delivered through a dynamically loaded APK module known as “dex.module.” This module enables real-time remote control via a low-latency communication channel and can be selectively deployed based on geographic targeting.
Evidence suggests that this modular approach has been in use since late 2024, but it has now been expanded with new capabilities. An embedded local TON proxy routes all traffic, making detection or blocking of communications through conventional DNS-based controls exceedingly difficult.
Among the enhancements is the introduction of network reconnaissance and tunneling features. Infected devices can execute commands such as HTTP probing, DNS lookups, ping, and traceroute, giving attackers unprecedented visibility into the victim’s local network environment. More alarmingly, TrickMo can establish SSH tunnels and run an authenticated SOCKS5 proxy on the compromised device, allowing malicious traffic to appear as if it originates from the user’s own network. This capability is particularly concerning as it can effectively bypass fraud detection systems employed by banks and e-commerce platforms.
The bot’s HTTP client is routed through this proxy, ensuring that every outbound C2 request is directed to an .adnl hostname resolved through the TON overlay.
Researchers have also identified dormant features within the malware, such as the Pine hooking framework, which remains inactive, and the declaration of NFC-related permissions without any implemented functionality. These pre-configured components suggest that attackers are poised to deploy additional capabilities dynamically in future campaigns without the need to modify the core application.
This latest iteration of TrickMo signifies a strategic evolution rather than a complete overhaul. By leveraging decentralized infrastructure, modular payload delivery, and advanced tunneling capabilities, the malware becomes increasingly difficult to detect, disrupt, and analyze. This evolution underscores a broader trend in mobile threats, where attackers prioritize architectural resilience and stealth to maintain long-term access and extend their operational reach within increasingly secure environments.
Indicators of Compromise
| SHA-256 | Package name | Application name | Role |
| 01889a9ec2abecb73e5e8792be68a4e3bc7dcbe1c3f19ac06763682d63aa8c21 | com.app16330.core20461 | TikTokApp18+ | Trickmo Dropper |
| 177ef86c57c31b29850227dbc8288b735bea977587f2f0a49cfc4089a644a2c4 | com.app15318.core1173 | TikTokApp18+ | Trickmo Dropper |
| e2e218ddf698b4c0099fd2a9619d6912a71f75beb51669a4e3ae4fc71f745d03 | uncle.collop416.wifekin78 | Google Play Services | Trickmo Host application |
| 749bbcbc3e5d2d524344d52b6471dfa7b8d3ecdeb0b11ab82c843d497a056c8f | nibong.lida531.butler836 | Google Play Services | Trickmo Host application |
| 143c0e12d2aa1bdecde59f273139dd5605d00f61cda7f626224e07390119c026 | dex.module | – | Dex Module (old variant) |
| 4cd8635062ff6b0885216a0b1658ebcb2938b670f7ac08ecb0b5fb85d8973ea0 | dex.module | – | Dex Module (new variant) |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
