The TrickMo malware represents an increasingly sophisticated threat in the world of cyberattacks, primarily targeting Android devices in Europe. Camouflaged behind the decentralized infrastructure of the TON blockchain, this banking Trojan has evolved since its initial discovery in 2019. This in-depth analysis explores the characteristics of TrickMo, its modes of operation, and the measures to take to protect against this insidious threat.
TrickMo: a constantly evolving malware
TrickMo is not a newcomer on the malware scene. Beginning its malicious journey in September 2019, it quickly caught the attention of cybersecurity experts due to its evolving capabilities. In October 2024, the company Zimperium identified more than 40 variants of this malware, showcasing the ongoing efforts of its authors to refine their methods. Currently, the Trickmo.C variant, observed since January 2025, stands out due to its innovative use of a communication method associated with the blockchain, making the detection and neutralization of attacks much more difficult.
Specific targets in Europe
The Trickmo.C variant has been designed to specifically target users located in France, Italy, and Austria. Often appearing as popular applications like TikTok or streaming services, it aims to deceive victims into downloading the malicious software. Once installed, TrickMo.C targets banking credentials as well as cryptocurrency wallets, revealing a planned and strategic approach by cybercriminals.
A clever use of the TON blockchain
What makes TrickMo.C particularly formidable is its integration with the TON (The Open Network) network, a decentralized system originally designed for Telegram. Through this network, TrickMo.C can establish discreet communications with its malicious operators, without exposing its activities on traditional Internet. By using ADNL addresses, identifiers unique to TON, the malware can connect to its command servers via a local proxy, making its communications nearly invisible to standard detection tools.
An arsenal of worrying features
The architecture of TrickMo is based on a modular structure, integrating a main APK for installation and a secondary module that ensures offensive functions. Among the notable capabilities of this malware are:
- Overlay of fake banking pages for credential theft.
- Keystroke logging and screenshot capturing.
- Live screen broadcasting to the operator.
- SMS interception and deletion of OTP notifications.
- Clipboard modification and notification filtering.
The new advanced network commands that TrickMo.C has added — such as curl, ping, telnet, and SSH tunneling — expand the attacking possibilities, giving cybercriminals increased control over infected devices.
Sleeping features to watch for
Experts have also discovered that TrickMo.C contains dormant features, such as the integration of the Pine framework, which could potentially intercept network operations. Although these options are not yet activated, their presence indicates that the authors of TrickMo may plan updates to intensify the impact of their malware. Furthermore, the malware mentions permissions related to NFC technology, suggesting further possibilities for future evolution.
Protection measures against TrickMo
In the face of a threat as sophisticated as TrickMo, it is crucial for Android users to adopt effective security practices. Expert recommendations include:
- Download only applications from the official Google Play Store.
- Favor recognized publishers and read reviews before installing an application.
- Limit the number of applications installed on your device.
- Keep Google Play Protect always activated.
- Be vigilant against applications mimicking popular services like TikTok.
A worrying turning point in the malware landscape
The introduction of the TON network into TrickMo’s arsenal highlights the worrying evolution of mobile malware. By exploiting decentralized technologies, cybercriminals manage to make their infrastructures not only more resilient but also more difficult to dismantle. This poses an unprecedented challenge for security teams and authorities, while the threat to European users continues to grow.
