Find notable cyber news and cases, enriched with sources, timelines, and signals.

TrickMo Android banking trojan variant with TON C2 and network pivots

Malware Activity
First reported
Last updated
Happening score
H score 26
1 unique sources, 1 articles

Summary

Hide ▲

A new TrickMo Android banking trojan variant now uses The Open Network (TON) for C2, turning infected phones into network pivots and traffic-exit nodes. It was observed between January and February 2026 while targeting banking and cryptocurrency wallet users in France, Italy, and Austria. The build adds reconnaissance, SSH tunnelling, and SOCKS5 proxying to extend the malware’s reach beyond credential theft. That shift makes compromised phones more useful for fraud evasion and network abuse.

Related Happenings

TrojPix air-gap covert channel turns video cables into a high-speed exfiltration path

Technical Analysis
H score20 First: 06.07.2026 11:50 Last: 06.07.2026 11:50 Sources 1

About this happening: **TrojPix** introduces a new **air-gap exfiltration** technique that uses **imperceptible pixel modulation** and **video cable emissions** to move data out of isolated systems, ra...

Popa botnet forcing consumer TV boxes to relay traffic

Malware Activity
H score76 First: 18.06.2026 20:37 Last: 18.06.2026 20:37 Sources 1

About this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...

Latest development: 03.07.2026 12:35

Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.

Vo1d botnet campaign targeting unofficial Android-based TV boxes

Campaign
H score88 First: 18.06.2026 20:37 Last: 18.06.2026 20:37 Sources 1

About this happening: **NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...

Latest development: 03.07.2026 12:35

Google disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing the compromised SDKs. The FBI’s seizure banner appeared on netnut.com while netnut.io briefly remained accessible, and Google said the coordinated actions caused significant degradation to NetNut’s proxy network and business operations.

NFCShare Android malware spreads via fake banking-app updates

Malware Activity
H score21 First: 09.06.2026 01:11 Last: 09.06.2026 01:11 Sources 1

About this happening: The **NFCShare Android malware** is being spread as **fake banking-app updates on GitHub**, broadening attacks against **customers of multiple banks and financial institutions acr...

TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria

Campaign
H score33 First: 11.05.2026 18:15 Last: 11.05.2026 18:15 Sources 1

How related: The latest versions, labeled TrickMo C, are distributed via phasing websites and dropper apps, the latter of which serve as a conduit for a dynamically loaded APK ("dex.module") that's retrieved at runtime from attacker-controlled infrastructure.

About this happening: The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....

Timeline

  1. 12.05.2026 15:50 2 articles · 1mo ago

    ThreatFabric discloses TrickMo TON-backed Android variant

    Initial Disclosure

    ThreatFabric disclosed a new TrickMo Android banking trojan variant observed between January and February 2026 that is targeting banking and cryptocurrency wallet users in France, Italy, and Austria. The malware uses The Open Network (TON) for command-and-control, relies on a runtime-loaded APK called dex.module, and adds reconnaissance, SSH tunnelling, and SOCKS5 proxying to turn infected devices into programmable network pivots and traffic-exit nodes.

    Show sources