TrickMo Android Trojan Leverages TON Blockchain for Covert C2

TrickMo Android Trojan Leverages TON Blockchain for Covert C2 | Quick Digest
A new variant of the TrickMo Android banking trojan, dubbed 'Trickmo.C', has adopted The Open Network (TON) blockchain for highly stealthy command-and-control communications. This advancement makes the malware's infrastructure significantly harder to detect and dismantle, posing an elevated threat to mobile banking and cryptocurrency users globally.

Key Highlights

  • TrickMo Android banking trojan now uses TON blockchain for C2.
  • TON-based communication makes malware infrastructure highly resilient to takedowns.
  • Malware targets banking and crypto apps in Europe, disguised as TikTok.
  • TrickMo is an evolving threat with extensive data theft capabilities.
  • India's large Android and digital payment user base makes this highly relevant.
  • Users advised to download apps only from official sources and enable Play Protect.
A significant evolution in mobile cybercrime has been identified with the emergence of a new variant of the TrickMo Android banking trojan, designated 'Trickmo.C', which now leverages The Open Network (TON) blockchain for its command-and-control (C2) communications. This development, initially reported by ThreatFabric and highlighted by BleepingComputer, marks a concerning shift towards more resilient and covert malware infrastructure. TrickMo, first detected in September 2019, has consistently evolved, incorporating sophisticated techniques to evade detection and enhance its malicious capabilities. Researchers from Zimperium, for instance, analyzed 40 variants of the malware in October 2024, highlighting its active development and global reach. The latest 'Trickmo.C' variant has been observed targeting banking and cryptocurrency wallet users across Europe, specifically in France, Italy, and Austria. The malware typically spreads by masquerading as legitimate applications, such as TikTok or streaming apps, tricking users into installation. The most critical new feature of 'Trickmo.C' is its adoption of TON for C2 communications. Instead of relying on traditional, centrally hosted servers that can be identified and taken down, TrickMo now routes its C2 traffic through .ADNL addresses within TON. This is achieved by embedding a local TON proxy on the infected device, which starts on a loopback port. TON, a decentralized peer-to-peer network initially developed for the Telegram ecosystem, utilizes a 256-bit identifier rather than conventional domain names or IP addresses. This effectively hides the real server infrastructure, making it exceedingly difficult for cybersecurity professionals and law enforcement to identify, block, or dismantle the malware's operational backbone. Experts emphasize that traditional domain takedowns are largely ineffective against this method because the attacker's endpoints exist as TON .adnl identities resolved within the overlay network itself, independent of the public DNS hierarchy. Furthermore, network traffic analysis struggles to distinguish malicious TON traffic from legitimate TON-enabled applications due to its encryption and indistinguishable flow. This adoption of blockchain for C2 is part of a broader trend, with other malware families also being observed using decentralized networks to achieve persistent and untraceable communication channels. Beyond its covert communication, TrickMo remains a highly dangerous banking trojan. Its extensive feature set includes one-time password (OTP) interception, screen recording, keylogging, remote control capabilities, and data exfiltration. It abuses Android's accessibility services to perform overlay attacks, presenting fake login screens over legitimate banking or cryptocurrency applications to steal credentials, and can even capture device PINs or patterns. Earlier variants of TrickMo have been documented to target a wide array of sensitive data, including not just banking and crypto credentials but also information from email, shopping, and social media apps. The threat of Android banking trojans is particularly acute in India, a country with one of the largest Android user bases and a rapidly expanding digital payments ecosystem. Reports indicate numerous sophisticated malware campaigns specifically targeting Indian banking users, impersonating major banks and government apps to steal financial data, credentials, and OTPs. The advanced evasion techniques now employed by TrickMo, such as blockchain-based C2, make it an even more formidable threat that could significantly impact Indian consumers and financial institutions. To mitigate the risk of infection, users are strongly advised to download applications only from trusted sources like the Google Play Store and to limit the number of apps installed on their devices. Ensuring that Google Play Protect is active and exercising caution with unknown links or suspicious apps that request extensive permissions are crucial protective measures.

Frequently Asked Questions

What is TrickMo and how does it steal information?

TrickMo is an advanced Android banking trojan that steals sensitive financial information, login credentials, and one-time passwords (OTPs) from victims. It achieves this through various methods including overlay attacks (displaying fake login screens), screen recording, keylogging, and abusing accessibility services to remotely control the device.

What is new about the latest TrickMo variant and why is it significant?

The latest variant, 'Trickmo.C', adopts The Open Network (TON) blockchain for its command-and-control (C2) communications. This is significant because using a decentralized blockchain makes the malware's C2 infrastructure extremely difficult to detect, block, or take down by cybersecurity agencies, enhancing the malware's resilience and longevity.

How does using the TON blockchain make TrickMo harder to stop?

The TON blockchain uses unique .ADNL addresses and is a decentralized peer-to-peer network, meaning there's no central server to target for takedowns. The communication is also encrypted and indistinguishable from other legitimate TON traffic, making it challenging for network monitoring systems to identify and block malicious flows.

Which users are targeted by TrickMo, and is it a threat to users in India?

The latest variant primarily targets banking and cryptocurrency users in Europe (France, Italy, Austria). However, TrickMo has a history of global targeting, and Android banking trojans in general pose a significant and ongoing threat to Indian users due to the country's vast Android user base and widespread digital payment adoption.

What can Android users do to protect themselves from TrickMo and similar malware?

Users should only download apps from official and trusted sources like the Google Play Store. It's crucial to be cautious of suspicious links, emails, or messages, and to ensure Google Play Protect is always active. Limiting the number of installed apps and scrutinizing permissions requested by new apps also helps enhance security.

Read Full Story on Quick Digest