# TrickMo Android Banking Trojan Evolves With TON-Based C2 *Tuesday, May 12, 2026 at 2:05 PM UTC — Hamer Intelligence Services Desk* **Published**: 2026-05-12T14:05:21.516Z (2h ago) **Category**: cyber | **Region**: Europe **Importance**: 6/10 **Sources**: OSINT **Permalink**: https://hamerintel.com/data/articles/3649.md **Source**: https://hamerintel.com/summaries --- **Deck**: Security researchers reported on 12 May that a new variant of the TrickMo Android banking trojan has emerged, using The Open Network (TON) for command-and-control while adding SSH tunneling and SOCKS5 proxy features. The campaign targeted banking and cryptocurrency users in France, Italy, and Austria between January and February 2026. ## Key Takeaways - A new TrickMo Android banking trojan variant was disclosed on 12 May 2026, using TON-based infrastructure for stealthy command-and-control. - The malware adds SSH tunneling and SOCKS5 proxy capabilities, turning infected devices into network pivots and traffic exit nodes. - Targets included banking and cryptocurrency wallet users in France, Italy, and Austria during early 2026. - The evolution highlights growing convergence between financial cybercrime, mobile malware, and decentralized communication platforms. On 12 May 2026, cybersecurity analysts revealed a significant evolution in the TrickMo Android banking trojan family. The newly observed variant, active between January and February 2026, has adopted The Open Network (TON) blockchain ecosystem as a core element of its command-and-control (C2) infrastructure. By leveraging TON for C2 communication, the operators seek to increase resilience against takedowns and to exploit the relative opacity of decentralized platforms. TrickMo historically has been associated with credential theft, two-factor authentication interception, and session hijacking targeting banking customers. The latest variant retains these core functionalities while introducing advanced networking features. Specifically, it incorporates SSH tunneling and SOCKS5 proxy modules, effectively allowing attackers to route arbitrary traffic through infected devices. This turns compromised smartphones into network pivots and exit nodes, which can be used for further intrusions, data exfiltration, or to obfuscate the origin of malicious activity. The campaign has so far focused on users in France, Italy, and Austria, targeting both traditional banking applications and cryptocurrency wallets. Attack vectors likely include phishing messages, malicious sideloaded applications, and possibly trojanized apps distributed through unofficial marketplaces. Once installed, the malware requests extensive permissions to access SMS, notifications, accessibility services, and network settings, enabling it to intercept one-time passwords, manipulate on-screen content, and maintain persistent connectivity with its C2 infrastructure. Key actors include the cybercriminal group or groups maintaining and operating the TrickMo codebase, whose identities remain unknown but who appear to possess sophisticated development capabilities and an understanding of both mobile platforms and network security tools. On the defensive side, European financial institutions, telecom providers, and national cybersecurity agencies are now confronted with a threat that not only steals credentials but also weaponizes customer devices as infrastructure. The use of TON for C2 is particularly noteworthy. Decentralized, blockchain-based networks pose challenges for traditional disruption strategies, which rely on sinkholing domains, pressuring hosting providers, or seizing centralized servers. Embedding C2 messages or configuration updates in a distributed ledger or using TON-based messaging channels complicates attribution and dismantling. It also reflects a broader trend of cybercriminals moving toward Web3 technologies for resilience and monetization. ## Outlook & Way Forward In the short term, financial institutions and mobile security vendors in affected countries will likely accelerate the deployment of detection signatures, behavioral analytics, and customer education campaigns focused on TrickMo and similar trojans. Banks may increase the use of hardware-based authentication, in-app transaction signing, and anomaly detection systems that can flag unusual device behavior even when credentials and OTPs appear valid. From a broader cyber defense perspective, the TrickMo evolution will spur greater attention to the abuse of decentralized networks for malicious purposes. Law enforcement and regulators may push for closer cooperation with TON ecosystem developers and service providers, seeking mechanisms for threat intelligence sharing, abuse reporting, and, where possible, technical countermeasures. However, the tension between privacy, decentralization, and security will complicate any such initiatives. Strategically, organizations with exposure to European banking and crypto markets should treat mobile devices not only as endpoints needing protection but as potential threat infrastructure in themselves. Security architectures will need to account for compromised customer devices being used as proxies for attacks on corporate networks or other users. Watch for further iterations of TrickMo and similar malware families incorporating additional Web3 components, stronger encryption, and cross-platform capabilities. Continuous monitoring of emerging mobile threats and adaptive fraud detection will be essential to keep pace with this rapidly evolving ecosystem.