TrickMo Android Banker Adopts TON Blockchain for Covert Comms

Since its first appearance in 2019, the TrickMo Android banking trojan has become one of the most adaptable threats in the mobile malware ecosystem. Early versions relied on conventional HTTP or DNS‑based command‑and‑control servers, but the latest iteration, labeled TrickMo.C by ThreatFabric, has migrated to The Open Network (TON), a decentralized peer‑to‑peer overlay originally tied to the Telegram project. By embedding a lightweight TON proxy on the infected device, the malware can route all instructions through .adnl identifiers, effectively masking the true location of its operators.

The shift to TON dramatically raises the bar for detection and takedown. Unlike traditional domains, .adnl addresses are 256‑bit identifiers resolved inside the TON network, meaning they never appear in public DNS queries and cannot be blocked with standard domain‑filtering tools. Network‑edge sensors only see encrypted TON packets that are indistinguishable from legitimate TON‑enabled applications, rendering signature‑based traffic analysis largely ineffective. In addition to stealth, the new variant equips attackers with a suite of network utilities—curl, ping, SSH tunneling, and SOCKS5 proxy—allowing real‑time reconnaissance and lateral movement without exposing a separate C2 infrastructure.

For enterprises and financial institutions, the emergence of TON‑based C2 underscores the need for deeper mobile threat hunting and behavior‑based defenses. Endpoint security platforms must monitor anomalous proxy processes, unexpected permission requests such as NFC, and the launch of background services that communicate over non‑standard ports. Users should be reminded to install apps exclusively from Google Play, keep Play Protect enabled, and limit app permissions. As cybercriminals continue to weaponize decentralized networks, collaboration between security vendors, app stores, and regulators will be essential to develop rapid response mechanisms that can isolate and neutralize these hidden command channels.