TrickMo Android banking malware adds TON-based covert command-and-control
Malware Activity
Summary
Hide ▲
Show ▼
The TrickMo Android banking malware has added TON-based covert command-and-control, making its operator infrastructure harder to identify, block, or take down for victims across Europe. The variant tracked as Trickmo.C is being delivered through fake TikTok and streaming apps and targets banking and cryptocurrency wallets in France, Italy, and Austria. It also adds new operator commands, including SSH tunneling, remote port forwarding, local port forwarding, and authenticated SOCKS5 proxy support. The changes expand remote control options while reducing the effectiveness of normal DNS-based disruption.
Related Happenings
Android 17 expands platform security and privacy protections
Security Tool/Service
First: 12.05.2026 20:00
Last: 12.05.2026 20:00
Sources 1
About this happening:
**Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Android 17 expands platform security and privacy protections
Security Tool/ServiceAbout this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
TrickMo Android banking trojan variant with TON C2 and network pivots
Malware Activity
First: 12.05.2026 15:50
Last: 12.05.2026 15:50
Sources 1
About this happening:
A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...
TrickMo Android banking trojan variant with TON C2 and network pivots
Malware ActivityAbout this happening: A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...
TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria
Campaign
First: 11.05.2026 18:15
Last: 11.05.2026 18:15
Sources 1
How related:
The variant, identified by ThreatFabric and labeled TrickMo C, was tracked between January and February 2026 in active campaigns against banking and wallet users in France, Italy and Austria, according to new analysis from the firm's Mobile Threat Intelligence Team.
About this happening:
The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....
TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria
CampaignHow related: The variant, identified by ThreatFabric and labeled TrickMo C, was tracked between January and February 2026 in active campaigns against banking and wallet users in France, Italy and Austria, according to new analysis from the firm's Mobile Threat Intelligence Team.
About this happening: The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....
Sqgame[.]net gaming platform hit by network compromise
Incident
First: 05.05.2026 18:00
Last: 05.05.2026 18:00
Sources 1
About this happening:
The **sqgame[.]net** gaming platform was **compromised**, and its **Windows** and **Android** software were **trojanized** to deliver malicious code to users, putting a regional e...
Sqgame[.]net gaming platform hit by network compromise
IncidentAbout this happening: The **sqgame[.]net** gaming platform was **compromised**, and its **Windows** and **Android** software were **trojanized** to deliver malicious code to users, putting a regional e...
ScarCruft sqgame[.]net supply-chain espionage campaign
Campaign
First: 05.05.2026 12:07
Last: 05.05.2026 12:07
Sources 1
About this happening:
**ScarCruft**'s **late-2024** supply-chain campaign against **sqgame[.]net** expanded a niche gaming platform compromise into a **multi-platform espionage channel**. The operation...
ScarCruft sqgame[.]net supply-chain espionage campaign
CampaignAbout this happening: **ScarCruft**'s **late-2024** supply-chain campaign against **sqgame[.]net** expanded a niche gaming platform compromise into a **multi-platform espionage channel**. The operation...
Timeline
-
11.05.2026 12:03 2 articles · 16d ago
ThreatFabric discloses Trickmo.C with TON-based command-and-control
Initial DisclosureThreatFabric says the TrickMo Android banking malware variant tracked as Trickmo.C has been observed since January and is being delivered in campaigns across Europe, often disguised as TikTok or streaming apps. The malware targets banking and cryptocurrency wallets in France, Italy, and Austria, uses The Open Network (TON) with .ADNL addresses and an embedded local TON proxy for covert command-and-control, and adds commands including curl, dnsLookup, ping, telnet, traceroute, SSH tunneling, remote port forwarding, local port forwarding, and authenticated SOCKS5 proxy support.
Show sources
- TrickMo Android banker adopts TON blockchain for covert comms — www.bleepingcomputer.com — 11.05.2026 12:03
- TrickMo Variant Routes Android Trojan Traffic Through TON — www.infosecurity-magazine.com — 11.05.2026 18:15