TrickMo — the Android banking trojan first identified in 2019 and one of the most persistent mobile financial malware families in operation — has been observed in a new campaign variant using the Telegram Open Network (TON) blockchain for command-and-control communications. The shift is operationally significant: TON’s decentralised architecture removes the single points of failure that law enforcement and security vendors have historically used to disrupt malware C2 infrastructure.
The Infrastructure Change
Traditional malware command-and-control relies on attacker-controlled servers — IP addresses or domains that can be identified, blocked, seized, or sink-holed by authorities or security vendors. TrickMo historically used a combination of direct IP connections and domain-fronting techniques to communicate with its operators.
The TON blockchain variant embeds C2 instructions in TON transaction metadata — specifically within the message payload fields of TON smart contract transactions. Malware instances poll designated wallet addresses on the TON network to retrieve commands, rather than connecting to conventional servers. Because TON is a fully decentralised public blockchain, there is no operator to receive a takedown notice, no server to seize, and no DNS record to null-route. The C2 address is the wallet address; the wallet cannot be “taken down” in any traditional sense.
The same technique was previously observed in the EtherRAT campaign (covered May 3), which used Ethereum transaction input data for C2. TrickMo’s adoption of TON — which has a significantly higher transaction throughput and lower cost than Ethereum — represents a maturation and scaling of the approach.
Capabilities in the New Variant
Beyond the C2 infrastructure change, the updated TrickMo variant retains and extends its established capabilities: overlay attacks rendering fake banking and payment UI over legitimate apps to capture credentials, SMS interception to defeat OTP-based 2FA, accessibility service abuse to read and interact with any on-screen content, screen recording for live credential capture, and the contact-list and application-inventory exfiltration used to profile victims and identify additional targets.
The variant also includes updated banking application target lists for financial institutions in Germany, Spain, Canada, and Turkey, with a new module for intercepting biometric authentication prompts on devices running Android 14 and later.
Defensive Response
The infrastructure shift to blockchain C2 renders some traditional network-based defences less effective, but does not make detection impossible. Practical controls include:
-
Network-layer controls remain partially effective — mobile security products that block network access for sideloaded or unrecognised applications will prevent the TON polling traffic from being sent, even if they cannot identify the TON network as malicious per se. Enterprise MDM and mobile security solutions should block outbound connections from any application not explicitly approved.
-
Detect accessibility service abuse — TrickMo’s overlay and credential interception capabilities require Android accessibility service permissions. Enterprise MAM/MDM policies should flag and block applications that request accessibility service permissions unless they are explicitly business-justified.
-
Do not sideload APKs. TrickMo continues to distribute primarily via sideloaded APKs delivered through smishing and social engineering rather than the Play Store. Enforcing Google Play Protect and preventing APK sideloading on managed Android devices removes the primary distribution vector.
-
Financial institutions should monitor for overlay attack patterns — unusual transaction confirmation timing, repeated authentication prompts, or user reports of unexpected UI appearing over banking apps are indicators consistent with overlay attack activity.
Share this article