TrickMo Banking Trojan Employs TON Blockchain for Stealthy Communication

Introduction: A New Chapter for TrickMo

The Android banking landscape continues to evolve as threat actors seek new ways to hide their tracks. The latest variant of the notorious TrickMo banking trojan has been spotted in active campaigns across Europe. This version not only introduces a fresh set of commands but also leverages The Open Network (TON) blockchain for its command-and-control (C2) communications. By doing so, the malware achieves a level of stealth that challenges traditional detection methods.

How TON Blockchain Powers Covert C2

The Open Network, originally developed by Telegram, is a decentralized blockchain platform known for its high throughput and low transaction costs. In this new variant, TrickMo uses TON to relay C2 messages in a way that mimics legitimate network traffic. Instead of relying on fixed IP addresses or domains that can be blocked, the malware encodes its commands within blockchain transactions. This approach makes it extremely difficult for security tools to distinguish malicious traffic from normal blockchain activity.

Why Attackers Choose Blockchain

Traditional C2 servers are vulnerable to takedowns, IP blacklisting, and sinkholing. By shifting to a decentralized network, the operators ensure that even if one node is removed, the communication line remains intact. TON’s smart contract capabilities allow for automated message passing without a central server, giving the malware a resilient and anonymous backbone.

Expanded Arsenal: New Commands in the Latest Variant

Alongside the blockchain innovation, the malware introduces several novel commands designed to enhance its data theft and remote control capabilities. Among these are:

• Screen capture – Allows attackers to take real‑time screenshots of the victim’s device.
• One‑time password (OTP) interception – Harvests SMS messages containing authentication codes.
• Voice recording – Surreptitiously records audio through the device microphone.
• Keylogging – Logs every keystroke, including those entered in banking apps.

These additions enable the malware to bypass two‑factor authentication (2FA) and gather sensitive information with higher precision.

Stealth Enhancements

To avoid detection, the new variant also modifies its installation routine. It can hide its icon from the app drawer and request accessibility service permissions under the guise of a system update. Once granted, it can overlay fake login screens on top of legitimate banking apps.

Targeting European Users

Active campaigns have been observed primarily in Germany, Italy, France, and the Netherlands. Attackers distribute the malware through fake SMS messages that impersonate banks or delivery services. The messages contain a link to a phishing page that prompts the user to install a malicious APK. The use of local language and familiar branding increases the likelihood of infection.

Scale of the Threat

While exact infection numbers are not publicly available, security researchers have noted a spike in detections throughout the first quarter of 2025. The combination of social engineering and advanced C2 techniques makes this variant a serious concern for mobile security teams.

Defending Against TrickMo and Similar Threats

Organizations and individuals can take several steps to reduce risk:

1. Install apps only from official stores – Avoid sideloading APKs from untrusted sources.
2. Review app permissions – Be wary of apps that request Accessibility Service access without clear justification.
3. Use mobile security solutions – Modern anti‑malware tools can detect suspicious behavior and block known variants.
4. Enable two‑factor authentication on all accounts – Even if OTPs are intercepted, an additional layer can prevent account takeover.
5. Keep devices updated – Patches often close vulnerabilities exploited by malware.

The Future of Mobile Malware

The adoption of blockchain technology by TrickMo signals a broader trend: malware authors are increasingly turning to decentralized networks to evade surveillance. As detection methods improve, so will the sophistication of these attacks. Security teams must stay ahead by monitoring emerging blockchain‑based C2 patterns and investing in behavioral analysis tools.

For now, users in Europe – and beyond – should exercise caution when receiving unsolicited messages and avoid installing applications outside official channels. The fight against TrickMo is far from over, but awareness remains the first line of defense.