Android Banking Trojan TrickMo Evolves: Exploits TON Blockchain and SOCKS5 Proxies for Stealthy Network Attacks

BREAKING: New TrickMo Variant Leverages TON and SOCKS5 to Bypass Defenses

Cybersecurity researchers have uncovered a dangerous evolution of the TrickMo Android banking trojan. The new variant uses The Open Network (TON) for command-and-control (C2) communications and SOCKS5 proxies to create hidden network pivots, significantly expanding its attack surface.

ThreatFabric analysts detected the active campaign between January and February 2026. The malware is currently targeting users of banking apps and cryptocurrency wallets in France, Italy, and Austria.

"TrickMo now relies on a runtime-loaded APK (dex.module) that dynamically executes malicious code, making detection far more challenging," said a ThreatFabric senior researcher. "The integration of TON blockchain for C2 is a first for this trojan family."

How the Attack Works

Once installed (often via SMS phishing or fake app stores), TrickMo requests Accessibility Service privileges. It then downloads and loads the dex.module, which connects to TON blockchain nodes to receive encrypted C2 commands.

The trojan simultaneously establishes a SOCKS5 proxy tunnel on the infected device. This tunnel allows attackers to route traffic through the victim's phone, effectively turning it into a network pivot for attacks on other devices.

"By using SOCKS5, TrickMo can hide its source while launching secondary attacks against corporate networks or other victims," explained the researcher. "This greatly increases the potential damage."

Background

TrickMo emerged in 2020 as a banking trojan focused on German and Turkish banks. Over time, it evolved to target over 100 financial apps globally.

The use of The Open Network (TON) for C2 is a significant departure from traditional centralized servers. TON's decentralized infrastructure makes takedown orders nearly impossible, ensuring persistent communication.

SOCKS5 proxy capabilities have been seen in other malware (e.g., Emotet), but this is the first time they are combined with blockchain-based C2 in a mobile trojan. This dual technique allows attackers to remain anonymous while expanding their attack radius.

What This Means

For Android users, especially those in France, Italy, and Austria, this means a heightened risk of device takeover. The trojan can steal two-factor authentication codes, read SMS messages, and perform over-the-air banking transactions.

Security teams should monitor network traffic for unusual SOCKS5 proxy connections and blockchain node interactions. Traditional endpoint detection may miss the runtime-loaded dex.module.

"Financial institutions must update their fraud detection systems to account for this new pivot technique," the ThreatFabric researcher warned. "The combination of TON and SOCKS5 effectively creates a mobile botnet capable of attacking both smartphones and linked enterprise networks."

Immediate Recommendations

• Disable installation of apps from unknown sources.
• Review Accessibility Service permissions regularly.
• Deploy enterprise mobile threat defense (MTD) solutions.
• Enable network anomaly detection for SOCKS5 traffic.

The full technical report from ThreatFabric is available to subscribers. Users in the targeted regions are advised to remain vigilant and avoid clicking on suspicious SMS links or downloading unofficial APK files.