TrickMo’s Stealthy Upgrade: Android Banking Malware is Pivoting to The Open Network

Modern Android banking malware is undergoing a quiet, dangerous revolution. Rather than flashing new user-facing tricks, threat actors are focusing on massive architectural overhauls designed to evade detection and solidify their grip on compromised devices.

According to a recent report by ThreatFabric’s Mobile Threat Intelligence Team, a new variant of the TrickMo banking trojan has surfaced, and it’s built for survival. As the researchers state, “Variant C is, in our assessment, not a capability rewrite but a substantial platform redesign”.

The most significant upgrade to this TrickMo variant is its complete departure from the conventional internet for command-and-control (C2) operations. The malware has migrated its primary communication channel to The Open Network (TON), a decentralized peer-to-peer overlay network.

By utilizing an embedded local TON proxy running on the device, TrickMo addresses all outbound C2 requests to opaque .adnl hostnames. For defenders relying on traditional perimeter defenses, this presents a severe visibility gap.

Traditional domain takedowns are largely ineffective because the operator’s endpoints do not rely on the public DNS hierarchy. Instead, endpoints exist as identities resolved entirely inside the TON overlay.

Furthermore, traffic-pattern detection at the network edge only sees encrypted TON traffic, which is indistinguishable from legitimate TON-enabled applications.

TrickMo is no longer just a credential stealer; it has evolved into a powerful network beachhead. Through a dynamically loaded module (dex.module), the malware introduces a highly capable suite of network reconnaissance and tunneling tools.

These new features allow infected devices to function as deep-cover operatives within whatever network they are connected to:

• The malware can execute network probes using commands like curl, ping, dnslookup, and traceroute directly from the victim’s vantage point, exposing internal corporate or home networks.
• It features an embedded SSH client capable of both local and remote port forwarding.
• It implements an authenticated SOCKS5 proxy, which effectively “turns the infected handset into a per-request-routed network exit node”.

By routing malicious traffic through the victim’s device, threat actors ensure their outbound connections appear to originate from the victim’s own IP address, effectively bypassing IP-based fraud-detection heuristics used by banks and crypto exchanges.

Interestingly, TrickMo is packing gear it hasn’t even used yet. The developers have included the Pine hooking framework—used in previous variants for intercepting network calls—but have left it completely idle in the static codebase.

Similarly, the malware aggressively requests extensive NFC permissions—including preferred-payment-information and transaction-event access—without actually executing any NFC-related code.

This calculated restraint suggests the operators are “preparing the platform for future runtime-delivered features without committing those capabilities directly into the current codebase”. By pre-filtering their infected device inventory for NFC capabilities, attackers can quietly map out viable targets for future hot-pushed payloads.

Currently, this new variant is actively distributed in campaigns aimed at banking and wallet users across France, Italy, and Austria. Many of these infections are driven by social engineering, with the dropper applications masquerading as TikTok or live-streaming platforms.