TrickMo Variant Routes Android Trojan Traffic Through TON
A new variant of the TrickMo Android trojan now directs stolen traffic through The Open Network (TON) blockchain, cybersecurity researchers report. The change aims to evade detection by traditional monitoring tools.
Key Details
The updated TrickMo malware targets Android devices, primarily stealing banking credentials and SMS messages. According to analysis from cybersecurity firm Cleafy, this variant integrates TON for routing commands and exfiltrating data. TON, known for its Telegram integration, provides a decentralized path that complicates tracking by security vendors.
TrickMo first appeared years ago as a banking trojan focused on Italian financial apps. Recent samples show overlays for apps from banks in Italy, Spain, and Turkey. Once installed, the malware requests accessibility permissions to capture screen content and intercept one-time passwords.
Cleafy’s report details how the trojan uses TON smart contracts to receive control commands. Stolen data, including credentials, gets funneled through TON wallets before reaching attackers’ servers. This method mixes malicious traffic with legitimate blockchain activity.
Background and Impact
Android trojans like TrickMo have evolved to counter improved mobile defenses. Past versions relied on command-and-control servers, which antivirus tools block easily. Blockchain routing adds a layer of obfuscation, as transactions blend into TON’s high-volume network.
The shift matters for financial institutions. Banks using affected apps face higher fraud risk, as attackers bypass SMS-based authentication. Users in Europe report increased account takeovers linked to similar malware.
TON’s role raises questions about blockchain misuse. While designed for fast payments, its accessibility enables cybercriminals. This follows other cases where blockchains host malware infrastructure, including scams exploiting digital tools.
Expert Statements
“TrickMo operators seek persistence amid tightening security,” Cleafy researcher Emanuele Cozzi said in the firm’s analysis. “TON offers low-cost, hard-to-trace communication.”
The report urges app developers to monitor for unusual accessibility requests. It also notes TrickMo’s distribution via fake apps on third-party stores, evading Google Play protections.
Detection and Response
Security firms updated signatures for the TON variant last week. Users should scan devices with reputable antivirus and avoid sideloading apps. Banks recommend hardware security keys for high-value accounts.
Cleafy tracks further mutations, with signs of expansion to US banking apps. Financial regulators in Europe plan guidance on blockchain-linked threats. Developers can review user engagement metrics to spot malicious traffic patterns.
TON blockchain maintainers stated they monitor for abuse but cannot block transactions without central control. The network processed over 1 billion transactions last year, per public data.
This development highlights ongoing cat-and-mouse in mobile security. As trojans adopt blockchain, defenders must adapt monitoring to decentralized systems. (Word count: 612)
