TrickMo.C, first observed in early 2026, is not a routine update to a banking trojan. The operators have rebuilt it as a platform that runs a local TON (The Open Network) proxy on compromised Android phones and routes command-and-control traffic through encrypted .ADNL addresses. That redesign converts infected devices into covert, remotely programmable network nodes that blunt IP- and DNS-based defenses.

Why the TON overlay materially changes the attacker payoff

By using TON’s decentralized overlay and .ADNL addressing, TrickMo.C hides the network endpoints of its C2 traffic: defenders see only encrypted TON traffic rather than connectable IP addresses or domain names. The malware’s operator features—remote HTTP probing (curl-like commands), DNS lookups performed by the victim device’s resolver, embedded SSH clients for socket-level tunneling, and setup of authenticated SOCKS5 proxies—turn phones into exit nodes that can mask fraudulent transactions behind legitimate device IPs.

This matters operationally: the overlay increases persistence and makes takedowns that target central servers ineffective. The campaign observed in France, Italy and Austria uses fake TikTok and video apps distributed through third‑party stores and phishing SMS, so the same platform supports geographic targeting and monetization (credential theft, wallet keys, biometric tokens) without changing the core C2 channel.

How this design raises costs and friction for defenders

Traditional mitigations—block a C2 domain, sinkhole an IP, or take down a hosting provider—no longer work when control is embedded in a peer-to-peer network. TrickMo.C runs a local TON proxy on-device and disguises its traffic as legitimate TON overlay activity, making packet-based indicators weak. Google Play Protect is evaded through stolen developer signatures and third‑party distribution; that reduces the effectiveness of app-store policing as a primary prevention tool.

Recommended Reading

Beyond Chatbots: Why Autonomous AI Agents Introduce an Identity-First Security Risk

AI agents aren’t just smarter chatbots; they operate with distinct identities and degrees of autonomy that let them act on infrastructure and data. That identity-plus-autonomy combo requires enterprises to move security from conversational filters to identity governance, least-privilege controls, and operational checkpoints. Three agent types and why identity changes the problem Enterprises now deploy three […]

Beyond Chatbots: Why Autonomous AI Agents Introduce an Identity-First Security Risk

Operationally, defenders now need to add endpoint and behavioral telemetry that can detect a resident TON proxy, anomalous use of system DNS by non-browser processes, sudden creation of authenticated SOCKS5 tunnels, or SMS suppression patterns tied to one-time-password interception. Each additional detection capability increases monitoring cost and incident response complexity at scale.

Inside TrickMo.C: modular mechanics, dormant hooks, and distribution details

The variant separates a persistent loader APK from a dynamically downloaded attack module, enabling stealth and selective targeting. Once the module is pulled, operators can deploy reconnaissance commands, probe internal services through the victim’s network, and pivot using SSH tunnels. The binary still contains the Pine hooking framework (used historically for intercepting network and Firebase calls), but researchers report Pine is inactive in current samples—however, TrickMo telemeters NFC capability and requests NFC permissions, indicating a staged plan to expand into contactless payment or device‑to‑device attack vectors if activated.

Distribution is practical: campaigns use geofencing to deliver payloads only to specified countries (France, Italy, Austria), lure victims with fake TikTok or streaming apps via third‑party stores and phishing SMS, and employ droppers whose payloads bypass Play Protect by leveraging stolen developer signatures. That operational chain means defenders must correlate app-install telemetry, SMS activity, and unusual network tunneling to build a reliable detection signal.

Decision points: when to change monitoring, containment, and policy

If you manage mobile fleets or bank fraud detection, prioritize three changes now: 1) add endpoint signals for resident TON proxies and unusual use of the system DNS resolver; 2) surface authenticated SOCKS5/SSH activity originating from mobile apps; and 3) treat activation of Pine hooking or NFC exploitation telemetry as a near-term escalation (the explicit checkpoint defenders should watch for is any sample where Pine is toggled active or NFC transactions are intercepted in telemetry). Those checkpoints are actionable because they indicate a step change in attack surface and potential monetization vectors.

Operationally, this trade-off—investing in richer endpoint and network telemetry versus continuing to rely on perimeter controls—makes sense when you handle high-value mobile-authenticated transactions in targeted countries (the current campaign focus is France, Italy and Austria). If your organization has minimal mobile transaction exposure in those regions, raise alert thresholds and monitor for the documented indicators rather than overhaul detection immediately.

Quick Q&A

How can I spot TON-based C2 today? Look for persistent processes that bind to local overlay ports, unusual UDP/TCP flows with opaque payloads to many peers, and apps requesting wide networking permissions combined with SMS or SIM‑related access.

Should we block TON traffic network-wide? Blanket blocking risks collateral damage to legitimate TON users. Prefer endpoint detection for local TON proxies plus conditional network-level controls in high-risk segments.

What is the next critical signal to watch? Activation of the Pine hooking framework or evidence of NFC exploitation in telemetry—either would indicate TrickMo is moving from reconnaissance and credential theft to deeper in‑device interception or contactless fraud.