TrickMo Android Malware Evolves: Leveraging TON Blockchain for Stealthy Command-and-Control

Introduction

The TrickMo banking Trojan, long known for targeting Android users in Europe, has resurfaced with a sophisticated new variant. This iteration introduces novel commands and, most notably, exploits The Open Network (TON) blockchain to secure its command-and-control (C2) communications. Security researchers have observed active campaigns distributing this updated malware, raising alarms about the growing trend of cybercriminals adopting decentralized technologies for evasion.

This article examines the technical enhancements in the latest TrickMo variant, how TON is used for covert C2, the implications for mobile security, and recommended defensive strategies.

TrickMo’s Evolution: From Traditional C2 to Blockchain

TrickMo first emerged in 2020 as a banking malware capable of overlaying legitimate apps to steal credentials. Over the years, it has evolved to include remote access, SMS interception, and even keylogging capabilities. The latest version marks a significant shift by integrating blockchain technology for its communication infrastructure.

By moving C2 traffic onto the TON blockchain, the malware operators aim to make their communications harder to block and trace. Traditional C2 servers can be taken down by ISPs or law enforcement, but blockchain-based channels provide a resilient, distributed alternative.

Technical Details of the New Variant

Delivery and Targeting

Campaigns distributing the new TrickMo variant primarily target users in Europe, with a focus on financial institutions. The initial infection vector typically involves phishing messages urging victims to install a malicious Android application, often disguised as a banking app, PDF reader, or even a security update.

New Commands and Capabilities

This variant introduces several new commands that enhance its control over infected devices:

• Remote credential capture: The malware can now record login details even when overlays fail, using accessibility services.
• Two-factor authentication bypass: It intercepts SMS messages and push notifications containing OTPs.
• Dynamic overlay generation: Using fetched templates, it creates convincing phishing pages for over 100 financial apps.
• Data exfiltration to TON: Stolen data is encoded and transmitted as transactions on the TON blockchain.

Using TON Blockchain for Covert Communications

The standout feature of this variant is its use of The Open Network (TON) for C2 messaging. TON is a fast, scalable blockchain originally developed by Telegram. The malware encodes commands and exfiltrated data within smart contract transactions, making them appear as normal blockchain activity. This approach offers several advantages to attackers:

1. Stealth: C2 traffic blends into legitimate blockchain traffic, evading detection by network-level security tools.
2. Resilience: The blockchain is decentralized, so no single server can be taken offline.
3. Anonymity: Transactions are pseudonymous, making attribution difficult.

Specifically, the malware creates a wallet and generates transactions with custom payloads in the comment field. The C2 server periodically checks the blockchain for new commands, and the infected device responds via its own transactions.

Implications for Users and Enterprises

The adoption of blockchain for C2 represents a worrying escalation in cyber threat sophistication. For individual users, the risk of credential theft, financial fraud, and privacy breaches increases. For enterprises—especially financial institutions—the ability to detect and block these communications is severely hampered.

Moreover, the use of a public blockchain means that threat intelligence teams can theoretically monitor the C2 traffic if they know the wallet addresses. However, this is reactive and requires constant adaptation.

Mitigation Strategies

For End Users

• Install apps only from official stores like Google Play.
• Enable Google Play Protect and avoid sideloading apps.
• Be cautious of unsolicited messages urging app installation.
• Use strong, unique passwords and enable multi-factor authentication (MFA) where possible.

For Organizations

• Deploy mobile endpoint detection and response (EDR) solutions that can identify suspicious app behavior.
• Monitor blockchain transactions for patterns associated with known malware wallets.
• Educate employees and customers about phishing campaigns targeting mobile devices.
• Implement network segmentation to limit lateral movement if a device is compromised.

Conclusion

The evolution of TrickMo into a blockchain-enabled malware highlights a broader trend: cybercriminals are continually adapting their tactics to bypass traditional defenses. By leveraging TON, the malware gains stealth and resilience, posing a challenge for security teams. Staying informed about such threats and adopting proactive security measures is essential for both individuals and organizations in the fight against mobile banking malware.