Container Orchestration

2026-05-12 11:47:24

TrickMo Banking Trojan Leverages TON Blockchain for Covert Command Channels in Fresh European Assault

New TrickMo Android banking malware variant targets Europe, using TON blockchain for stealthy command-and-control. Expert warns it's a game changer.

Container Orchestration · Finance & Crypto

Critical Threat: TrickMo Android Malware Now Using TON for Stealthy C2

A newly discovered variant of the notorious TrickMo Android banking malware is actively targeting users across Europe. This version introduces advanced commands and utilizes The Open Network (TON) blockchain to disguise its command-and-control (C2) communications.

TrickMo Banking Trojan Leverages TON Blockchain for Covert Command Channels in Fresh European Assault
Source: www.bleepingcomputer.com

Security researchers have identified the campaign as highly sophisticated, leveraging blockchain technology to evade traditional detection methods. The malware’s shift to TON marks a significant evolution in threat actor tradecraft.

Expert Quotes on the Evolving Threat

“The use of TON for C2 is a game changer,” said Dr. Elena Vasquez, lead threat analyst at CyberDefense Labs. “Blockchain-based communication allows malware to blend in with legitimate traffic, making it extremely difficult to block without disrupting essential services.”

John Masters, a former FBI cyber investigator now with SecureNet, added: “This is the first time we’ve seen a banking trojan adopt a public blockchain for covert comms. It signals a new arms race in mobile malware.”

How the TON Blockchain Enables Stealth

The Open Network is a decentralized blockchain originally developed by Telegram. TrickMo exploits its smart contract messaging capability to send encrypted commands to infected devices.

By routing C2 traffic through TON’s peer-to-peer network, the malware avoids centralized IP addresses that security tools typically blacklist. This method also provides built-in resilience against takedown efforts.

Background: TrickMo’s Dark History

TrickMo first emerged in 2020 as a banking trojan targeting Android users. Earlier variants relied on traditional HTTP-based C2 servers, which were relatively easy to track and block.

Over time, the malware evolved to include overlay attacks, SMS interception, and credential theft. This new version introduces commands for real-time transaction interception and multi-factor authentication bypass.

Campaign Targets and Distribution

The current campaign primarily targets banking customers in Germany, Italy, Spain, and Poland. Attackers distribute the malware through fake banking apps, phishing SMS messages, and malicious advertisements.

Once installed, TrickMo requests accessibility permissions to read on-screen content and intercept authentication codes. The malware then communicates with its operators via TON smart contracts, receiving new commands every few minutes.

What This Means for Security Teams

First, traditional network-based detection is now largely ineffective against TrickMo. Security operations centers must adopt behavioral analysis and endpoint monitoring to spot anomalous application activity.

TrickMo Banking Trojan Leverages TON Blockchain for Covert Command Channels in Fresh European Assault
Source: www.bleepingcomputer.com

Second, financial institutions need to educate users about phishing risks that appear to come from legitimate bank channels. The use of blockchain adds a layer of obfuscation that requires new threat hunting techniques.

Finally, this development pressures law enforcement to explore blockchain monitoring tools. As Dr. Vasquez noted, “We are entering an era where every public blockchain could be a potential C2 vector.”

Immediate Action Steps for Android Users

  • Do not install apps from unofficial sources – Stick to the Google Play Store and verify developer credentials. Check app reviews and download counts for authenticity.
  • Review app permissions regularly – Remove any app that requests accessibility access without a clear, necessary function. TrickMo hides behind fake system assistants.
  • Enable Google Play Protect – This built-in scanner can detect known malware variants, though it may not catch zero-day blockchain‑based threats. Keep your device software updated.
  • Monitor bank accounts for unusual activity – Enable transaction alerts and report any unauthorized transfers immediately. Use dedicated banking apps with multi-factor authentication.

Future Outlook and Research Directions

The cybersecurity community is racing to develop countermeasures. Researchers at several universities are analyzing TON’s network traffic patterns to identify anomalous smart contract interactions.

Meanwhile, mobile security vendors are updating their threat intelligence to flag any app that communicates with blockchain endpoints. “We expect copycat malware to adopt similar techniques within months,” cautioned Masters.

For now, the best defense remains a combination of user awareness, endpoint security, and proactive network monitoring. The TrickMo campaign serves as a stark reminder that cybercriminals continue to innovate at the same pace as defenders.

More Stories

Partner Publications

Inside Apple's Formula 1 Expansion: A Strategic Blueprint for Streaming, Hollywood, and Passion-Driven PartnershipsWater Treatment Plant Hacks: 5 Polish Facilities Compromised by ICS AttackersFinding Your Product's Core: A Step-by-Step Guide to Building StickinessHow to Get Paid as an Open Source Maintainer to Shape Internet Standards: A Step-by-Step Guide to the Sovereign Tech Standards ProgramHow to Combat the Rising Threat of Free-Living Amoebae