TrickMo, a long-standing Android banking malware, has evolved with a new variant labeled 'Trickmo.C' targeting users across Europe. Disguised as popular applications like TikTok, the malware aims to steal sensitive banking credentials and cryptocurrency wallet data. This version introduces sophisticated evasion techniques, including the use of The Open Network (TON) for decentralized command-and-control (C2) communications.
By leveraging .ADNL addresses and an embedded TON proxy, the malware obscures its server infrastructure, making traditional domain takedowns and traffic analysis significantly harder. In addition to its core capabilities like screen recording and SMS interception, the new variant adds advanced networking tools such as SSH tunneling and SOCKS5 proxy support, marking a significant step up in its operational complexity.