TrickMo Android banker hides command-and-control inside Telegram's TON blockchain network to dodge takedowns

The TrickMo Android banking malware now routes its command-and-control through The Open Network (TON), the decentralized peer-to-peer network originally built around Telegram, making the C2 infrastructure much harder to identify or take down. ThreatFabric (which tracks this variant as Trickmo.C) has been watching it since January in campaigns hitting users in France, Italy, and Austria. The malware disguises itself as TikTok or streaming apps and steals banking credentials and crypto wallet keys via phishing overlays, keylogging, SMS interception, OTP suppression, and live screen recording. The new variant also adds SSH tunneling, port forwarding, and SOCKS5 proxy commands, turning infected phones into a pivot point.

Check

Check MDM logs for users in France, Italy, or Austria who side-loaded apps masquerading as TikTok or streaming services since January 2026. Flag corporate phones showing outbound TON network traffic.

Affected

Android devices belonging to users in France, Italy, and Austria that side-loaded apps disguised as TikTok or streaming services. Banking and cryptocurrency-wallet credentials, SMS-delivered OTPs, screen contents, and keystrokes are all at risk. The TON-based C2 means traditional domain blocking and DNS-based filters will miss this malware family entirely.

Fix

Confirm Google Play Protect is active and side-loading is blocked on all managed Android devices. For potentially infected users, perform a full factory reset, reinstall apps only from Google Play, and reset banking and cryptocurrency credentials from a known-clean device. Add TON .adnl traffic to egress monitoring - while you cannot decrypt it, unusual volumes from corporate networks are a signal.