A New Chapter for TrickMo: Blockchain C2 and Network Pivoting
Cybersecurity researchers have identified a significant shift in the capabilities of the TrickMo Android banking trojan. A newly discovered variant, observed between January and February 2026 by the mobile security firm ThreatFabric, now incorporates The Open Network (TON) for stealthy command-and-control operations. This development transforms what was once primarily a credential-stealing tool into a programmable network pivot, capable of reconnaissance, tunnelling, and traffic routing from infected mobile devices. The trickmo ton socks5 combination represents an evolution that security teams and Android users alike need to understand.
Unlike earlier versions that relied on conventional internet infrastructure, this latest iteration uses an embedded native TON proxy. Every outbound request from the malware now travels through this proxy, addressed to.adnl hostnames and resolved through the TON overlay. The result is a communication channel that blends with legitimate blockchain traffic, making traditional takedown and blocking efforts far less effective.
Understanding TrickMo: From OTP Theft to Full Device Control
TrickMo first appeared in late 2019, flagged by CERT-Bund and IBM X-Force. Its original purpose was straightforward: abuse Android’s accessibility services to intercept one-time passwords and phish login credentials. Over time, the malware grew more sophisticated, adding keystroke logging, screen recording, live screen streaming, and streaming capabilities, and SMS interception. These features gave operators near-complete remote control over infected devices.
The malware uses a runtime-loaded APK, known as dex.module, that is fetched on demand from attacker-controlled servers. This modular approach allows the core payload to remain hidden until activation, evading many static detection methods. The newest variant updates this dex.module with entirely new network-oriented subsystems.
The Role of Android Accessibility Services
Android’s accessibility services are designed to assist users with disabilities. They allow apps to read screen content, perform gestures, and interact with other applications on behalf of the user. TrickMo exploits this legitimate feature to hijack OTPs, monitor screen activity, and inject fake login pages over legitimate banking apps. Once granted, these permissions are extremely difficult to revoke without user awareness.
For someone managing an Android device fleet, this vector is particularly concerning. A single user tricked into enabling accessibility permissions can expose the entire organisation to lateral movement and data exfiltration. The new variant amplifies this risk by adding network reconnaissance tools that work from the victim’s internal network position.
Why The Open Network Attracts Malware Operators
The Open Network, or TON, is a decentralized blockchain platform originally conceived by the Telegram team. It supports fast transactions, smart contracts, and a distributed infrastructure that is inherently resistant to censorship. For malware operators, these same properties make trickmo ton socks5 a powerful combination for hiding command-and-control traffic.
Instead of connecting to a static IP address or a traditional domain name, the malware communicates through.adnl endpoints. ADNL stands for Abstract Datagram Network Layer, a TON protocol that routes messages through a peer-to-peer overlay network. This means the C2 server does not need a fixed location. It can be any node inside the TON network, and its address can change without disrupting the malware’s operation.
Traditional takedown efforts rely on identifying the C2 server’s IP address and working with hosting providers to shut it down. With TON-based C2, that approach fails. The server is not a single machine in a known data centre. It is a moving target inside a decentralized mesh that spans hundreds of nodes across multiple jurisdictions.
Blending in with Legitimate Traffic
A critical advantage for attackers is that TON traffic looks identical to legitimate TON activity. The same protocols, the same encryption, the same routing. Network monitoring tools that flag unusual outbound connections may not distinguish between a user running a TON wallet app and a TrickMo-infected device sending C2 heartbeats. This blending effect dramatically reduces the signal-to-noise ratio for detection teams.
The New Network Subsystem: Remote Shell for Mobile Devices
The most notable architectural change in this TrickMo variant is the replacement of the previous socket.io-based remote control channel. The new version uses a network-operative subsystem that effectively gives attackers a remote shell equivalent running from the victim’s device. Supported commands include curl, dnslookup, ping, telnet, and traceroute.
Consider a hypothetical scenario: a network security engineer notices unusual outbound connections from multiple mobile devices on the corporate guest network. Upon investigation, those devices are found to be running a dropper app masquerading as a modified version of TikTok. The trickmo ton socks5 (as the keyword appears in context) capability means those devices are not just leaking credentials — they are actively scanning internal resources, mapping network topology, and searching for vulnerable hosts.
From the attacker’s perspective, each infected device becomes a beachhead inside the victim’s network. The reconnaissance commands allow the operator to probe internal systems that would not be reachable from the open internet. A bank’s internal accounting server, for example, may be accessible from a compromised employee’s phone connected to the corporate Wi-Fi. The malware can discover that server, attempt connections, and map the internal network — all without generating traffic that crosses the perimeter firewall.
SSH Tunnelling Adds Persistence
The inclusion of SSH tunnelling further expands the attacker’s options. Once a device is compromised, the operator can establish an encrypted tunnel through it into the internal network. This tunnel provides persistent, low-slow access that can survive device reboots and network changes. For incident responders, detecting these tunnels are notoriously difficult to detect because they often mimic legitimate SSH traffic used by IT administrators.
For someone who manages an Android device fleet, this represents a nightmare scenario. A single infected device can become a permanent backdoor into the corporate network, one that operates outside the control of traditional endpoint detection tools. The only reliable mitigation is to prevent the initial infection from ever occurring.
How Dropper Apps Trick Users into Installing TrickMo
The distribution chain for this TrickMo variant involves two layers of deception. First, a dropper app is distributed through Facebook, masquerading as an adult-friendly version of TikTok. These ads target users in France, Italy, and Austria — the three countries where active infections have been observed. The dropper.
Once installed, the dropper app requests accessibility service permissions under a false pretext. After the user grants these permissions, the app retrieves the real TrickMo payload (dex.module) from a remote server and loads it dynamically. The dropper itself may appear harmless or even functional, avoiding suspicion while the real malware operates in the background.
The actual TrickMo payload impersonates Google Play Services. It uses package names such as com.app16330.core20461 or com.app15318.core1173. These names are chosen to blend in with legitimate system apps. A typical user scrolling through their application list would not notice anything unusual. Even security-conscious users may hesitate before removing an app that appears to be part of the core Android framework.
Red Flags to Watch For
How can a user distinguish a dropper app from a legitimate one? Several indicators raise suspicion. First, the app requests accessibility service permissions for no clear reason. A modified TikTok does not need to read screen content or intercept button presses. Second, the app may have a slightly misspelled name or an unusually generic icon. Third, the app may appear in the device’s settings as having permission to draw over other apps — a common technique used by banking trojans to display fake login screens.
For mobile app developers, this distribution method highlights the need for vigilance when publishing apps on any platform. Repackaging legitimate software with malicious code remains one of the most effective ways to distribute malware, and the barrier to entry is low. A threat actor can take a popular open-source app, add malicious code, and distribute it through social media with minimal effort to bypass official app store controls.
The SOCKS5 Proxy: Turning Victims into Exit Nodes
One of the most impactful new features in this TrickMo variant is the integrated SOCKS5 proxy. This turns the infected device into a network exit node that routes malicious traffic from anywhere on the internet. The proxy is authenticated, meaning only the attacker can use it, but the traffic appears to originate from the victim’s IP address.
You may also enjoy reading: After Killing Encrypted DMs, Mark’s AI Chat: 3 Trust Traps.
Why does this matter for fraud detection? Many banking and cryptocurrency platforms use IP-based risk scoring. A login attempt from a known proxy server or a data centre IP address may trigger additional verification steps. But a login attempt originating from a residential IP address — one belonging to an actual person’s mobile device — passes those checks easily. The SOCKS5 proxy allows attackers to route their malicious sessions through the victim’s device, bypassing IP-based fraud detection entirely.
Consider a threat intelligence analyst tracking this campaign. They would observe that fraudulent transactions and account takeovers appear to originate from legitimate mobile IPs across France, Italy, and Austria. The victims themselves may not even realise their devices are being used as proxies. The device’s owner notices slightly slower performance or higher data usage, but these symptoms are easy to dismiss as normal Android behaviour.
Network Pivoting and Lateral Movement
The combination of SOCKS5 proxying and SSH tunnelling enables a technique known as network pivoting. The attacker compromises a single device, then uses that device as a jumping-off point to reach other systems that would otherwise be inaccessible. For example, a bank employee’s personal phone infected with TrickMo connects to the corporate Wi-Fi during lunch. The attacker now has a toehold inside the corporate network. From there, they can probe internal servers, attempt lateral movement, and escalate privileges — all while appearing to originate from a legitimate mobile device.
For security teams, detecting this kind of activity requires monitoring internal traffic flows, not just perimeter traffic. A device performing DNS lookups for internal hostnames or initiating connections to internal servers may indicate compromise. Endpoint detection agents on mobile devices — where they exist — can flag the presence of the SOCKS5 listener or the TON proxy process.
Dormant Features Signal Future Intentions
ThreatFabric’s analysis revealed two dormant features bundled within the malware but not yet implemented. The first is the Pine hooking framework, which allows runtime manipulation of Android applications. The second is a set of extensive NFC-related permissions. Neither feature is active in the current variant, but their presence indicates the developers are exploring new attack vectors.
NFC permissions could enable contactless payment interception or relay attacks. An infected device placed near a payment terminal could capture transaction data or inject fraudulent authorisations. The Pine framework could allow the malware to hook into any Android system processes at a deeper level, potentially reading cryptographic keys or manipulating authentication flows. These capabilities would represent a significant escalation from the current version’s already impressive feature set.
For cybersecurity researchers, dormant code sections like these provide a roadmap of the threat actor’s priorities. The developers are likely testing and refining these features in controlled environments before releasing them in a future update. Security teams should monitor for any indications that these dormant modules have been activated in the wild.
Indicators of Compromise for Detection Teams
What indicators should a SOC team monitor for detecting TrickMo C infections? Several behavioural signals stand out. First, outbound connections to.adnl DNS queries from mobile devices are highly suspicious. Normal Android devices do not resolve.adnl hostnames unless they are running TON-related software. A device that suddenly starts querying these endpoints may be compromised.
Second, the presence of a local SOCKS5 proxy listener on a mobile device is abnormal. Android does not include a built-in SOCKS5 server. Any process listening on a TCP port for SOCKS5 connections should be investigated immediately. The default loopback port used by the TON proxy may also appear in network connection listings.
Third, elevated data usage patterns from mobile devices may indicate that the device is being used as a relay. If a user’s phone suddenly starts transmitting large amounts of data during off-hours, particularly to unexpected destinations, it warrants investigation. Device management platforms can flag these anomalies and trigger automated responses such as quarantining the device from the corporate network.
Practical Detection Steps
For organisations with Android device fleets, several practical steps can reduce the risk. First, enforce. First, restrict installation to approved app sources only. Google Play Protect should remain enabled, and sideloading should be disabled where possible. Second, use mobile device management tools to enforce security policies to monitor accessibility service usage. Any app that activates accessibility services without explicit IT approval should trigger a alert.
Third, deploy network detection tools that can identify TON overlay traffic. While TON traffic is designed to blend in, the volume and pattern of.adnl queries may still stand out when compared to baseline device behaviour. Fourth, educate users about the risks of installing apps from social media advertisements. The modded TikTok lures are targeted and convincing, but awareness can prevent many infections from occurring.
For cybersecurity researchers investigating blockchain-based C2, the TrickMo variant provides a compelling case study in how decentralised infrastructure can frustrate conventional defence. The trickmo ton socks5 combination is not an isolated experiment. It represents a broader trend where malware operators adopt the same technologies that privacy advocates and decentralised finance enthusiasts use. The tools themselves arguments are neutral; their application determines the outcome.
The evolution from a banking trojan focused on OTP theft to a programmable network pivot capable of reconnaissance, tunnelling, and proxying signals a shift in how mobile malware is designed. Future variants will likely build on this architecture, adding the dormant features currently waiting in the codebase. Security teams that understand this trajectory today will be better prepared for the threats that emerge tomorrow.
