.jpg){kind=link}
Mobile banking security has entered a more dangerous phase as Android banking trojans shift from traditional infrastructure to decentralized networks. A new variant of the TrickMo Android banking malware is currently targeting users across Europe, utilizing the TON blockchain to hide its command-and-control (C2) communications. By bypassing the standard internet domain system, this malware makes detection and takedown efforts significantly more difficult for security teams.
The Evolution of TrickMo: From Traditional to Decentralized
First identified in late 2019, TrickMo has remained a persistent threat through constant architectural updates. While earlier versions relied on standard server-client communications, the latest iteration—identified by researchers as Trickmo.C—introduces a sophisticated shift in how it communicates with its operators.
The primary innovation in this variant is the integration of The Open Network (TON), a decentralized peer-to-peer network. Rather than connecting to a public IP address or a domain name that can be flagged and blocked by security providers, TrickMo now uses an encrypted overlay network. This allows the malware to communicate via an embedded local TON proxy running directly on the infected device.
Understanding .ADNL Addresses
Traditional malware uses the Domain Name System (DNS) to find its home server. Security professionals can block these domains or seize the servers to kill the malware’s “brain.” TrickMo bypasses this entirely by using .ADNL addresses.
An .ADNL address is a 256-bit identifier that exists within the TON overlay network. Because these identities are resolved inside the network itself rather than through the public DNS hierarchy, there is no central directory for authorities to shut down. This effectively renders traditional domain takedowns obsolete, granting the operators a high level of resilience and stealth.
How the Attack Works: Delivery and Targeting
The current campaign focuses on users in France, Italy, and Austria, specifically targeting those who use banking apps, fintech services, and cryptocurrency wallets.
The Deception Vector
Attackers deploy the malware by disguising it as popular, high-demand applications. Common disguises include:
- TikTok: Mimicking the popular social media app to trick users into granting permissions.
- Streaming Apps: Offering “free” or “premium” access to streaming content to entice downloads.
Once installed, the malware requests extensive device permissions, allowing it to intercept sensitive data, monitor authentication apps, and gain control over banking and wallet credentials.
Why This Shift Matters for Cybersecurity
The move toward blockchain-based C2 infrastructure represents a broader trend in malware development: the prioritization of operational flexibility over new features. The goal isn’t necessarily to steal data in a new way, but to ensure the malware can continue operating even when security vendors identify the threat.
By leveraging a decentralized network, the operators ensure that their infrastructure remains hidden from the public internet. This forces security researchers to analyze the malware’s internal proxy and network traffic rather than simply blocking a list of malicious URLs.
- New Infrastructure: TrickMo now uses the TON blockchain for stealthy command-and-control communications.
- DNS Bypass: The use of .ADNL addresses makes traditional domain-based blocking ineffective.
- Target Region: Current campaigns are heavily focused on users in France, Italy, and Austria.
- Delivery Method: Malware is disguised as TikTok or streaming applications.
- Goal: Theft of banking credentials, fintech data, and cryptocurrency wallet access.
How to Protect Your Android Device
As banking trojans become more resilient, relying on a single layer of security isn’t enough. To defend against variants like TrickMo, users should follow these essential practices:
- Avoid Sideloading: Never install APK files from third-party websites or unofficial sources. Only use the Google Play Store.
- Audit App Permissions: Be skeptical of apps that request “Accessibility Services” or “Notification Access” if those features aren’t core to the app’s function.
- Enable Multi-Factor Authentication (MFA): Use hardware keys or app-based authenticators rather than SMS-based MFA, which can be intercepted by sophisticated banking trojans.
- Keep Software Updated: Regularly update your Android OS and security patches to close vulnerabilities that malware may exploit.
Frequently Asked Questions
What is the TrickMo Android malware?
TrickMo is a banking trojan designed to steal financial credentials and cryptocurrency from Android users by mimicking legitimate apps and intercepting sensitive data.
How does the TON blockchain help the malware?
The TON blockchain provides a decentralized network that allows the malware to communicate with its operators using .ADNL addresses, bypassing the public DNS system and making the servers nearly impossible to track or shut down.
Which countries are currently being targeted?
Recent campaigns have specifically targeted users in France, Italy, and Austria.
Can my antivirus detect TrickMo?
While many security tools can detect known signatures of TrickMo, the use of new C2 infrastructure and constant architectural redesigns means that updated, behavior-based security software is necessary for protection.
Looking Ahead
The integration of blockchain technology into malware infrastructure is a wake-up call for the cybersecurity industry. As attackers move away from centralized servers, the defense strategy must shift toward endpoint detection and response (EDR) and zero-trust architectures. The battle is no longer just about blocking “terrible” websites; it’s about identifying malicious behavior within the device’s own memory and network traffic.