TrickMo Android Malware Upgrades with TON Blockchain for Stealthy C2

New TrickMo Variant Uses TON Blockchain to Mask Command-and-Control Traffic

Security researchers have uncovered a new variant of the TrickMo Android banking trojan that leverages The Open Network (TON) blockchain to obfuscate its command-and-control (C2) communications. The upgraded malware, currently targeting users across Europe, introduces novel commands designed to evade traditional detection methods.

“This is a major evolution for TrickMo,” said Jane Doe, senior threat analyst at CyberDefense Labs. “By adopting TON, the attackers are using blockchain technology to hide their tracks in a way we haven’t seen before in Android banking malware.”

The new variant spreads through deceptive SMS messages and infected app downloads. Once installed, it can steal banking credentials, intercept one-time passwords (OTPs), and remotely control infected devices.

Background

TrickMo first emerged in 2019 as a banking trojan targeting German users, later expanding across Europe. Previous versions relied on traditional HTTP or HTTPS servers for C2, making them easier to takedown. The shift to TON blockchain leverages decentralized nodes, making takedown nearly impossible and significantly complicating network-based detection.

The TON blockchain provides a public, distributed ledger where attackers can hide C2 instructions within regular transactions. This approach allows the malware to blend in with legitimate blockchain activity, avoiding signature-based and heuristics-based security tools.

New capabilities in this variant include automated money transfers, keylogging for credential theft, and real-time OTP harvesting. A full list of observed new commands is below:

• Remote Account Takeover – automatically transfers funds from infected device
• Keylogging – records every keystroke to capture login credentials
• OTP Harvesting – intercepts one-time passwords from SMS messages
• Device Lock – locks the screen and demands ransom payment

What This Means

The adoption of blockchain for C2 represents a paradigm shift in mobile malware. Security teams must now monitor blockchain activity, which is more complex and resource-intensive than traditional network monitoring. Users are urged to avoid sideloading apps and to verify any SMS links received unexpectedly.

“The use of TON shows threat actors are always innovating,” added John Smith, CTO of MobileSec. “We need to update our detection strategies accordingly, incorporating blockchain transaction analysis alongside conventional endpoint protections.”

This development underscores the urgent need for mobile security awareness and robust multi-factor authentication. Financial institutions in particular should review their fraud detection systems to account for blockchain-based malware evasion techniques.