TrickMo, a long-standing Android banking malware, has evolved with a new variant labeled 'Trickmo.C' targeting users across Europe. Disguised as popular applications like TikTok, the malware aims to steal sensitive banking credentials and cryptocurrency wallet data. This version introduces sophisticated evasion techniques, including the use of The Open Network (TON) for decentralized command-and-control (C2) communications.
By leveraging .ADNL addresses and an embedded TON proxy, the malware obscures its server infrastructure, making traditional domain takedowns and traffic analysis significantly harder. In addition to its core capabilities like screen recording and SMS interception, the new variant adds advanced networking tools such as SSH tunneling and SOCKS5 proxy support, marking a significant step up in its operational complexity.
Top comments (1)
The TON-C2 shift is the part that should really be unsettling defenders. Once you've moved the control plane off DNS + HTTPS-to-a-managed-cloud, the entire takedown playbook (registrar action, CDN ban, hosting provider abuse desk) loses purchase. Indicator-based defense gets harder when there's no domain to seize and no IP to blackhole — the .ADNL address space behaves more like a content-addressed mesh than a hierarchy.
The other half worth calling out: the malware is imitating a popular media app (TikTok). Surveillance-capable apps (camera, mic, screen capture) make perfect malware payloads because the permission prompts are already plausible to the user — "of course a TikTok-shaped app wants camera and storage." That's the same permission surface a legit security-camera or streaming app needs, which puts every honest builder in this niche right next to the worst-case offenders in the user's mental model.
The defense angle I keep coming back to as a builder: zero outbound network egress + open binary + Google's new Binary Transparency log. If a camera/streaming app has nothing to phone home to, there's no C2 to attribute, no infrastructure to seize, and the binary is byte-attested at the Play Store level so a swapped APK is detectable. I built Background Camera RemoteStream on those constraints — recordings stay on-device, the remote-view feed is over an embedded LAN-only HTTP server, and the only optional network edge is YouTube Live ingest (RTMP to youtube.com, no relay we control). Nothing to hijack, nothing in a C2 graph: play.google.com/store/apps/details...
Thanks for the writeup — the .ADNL + SOCKS5 combo specifically is a useful new IoC pattern to file away.