New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps
Essential information
- Published
- 11/05/2026 11:07
- Modified
- 11/05/2026 09:56
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- accessibility abuse android banking trojan device takeover godfather network pivot socks5 proxy ssh tunnelling ton network trickmo
- Tags
- 2026-05-11 accessibility abuse android banking trojan device takeover godfather network pivot socks5 proxy ssh tunnelling ton network trickmo
- Related entities
- 6 indicators, 6 observables, 2 malware, 4 others
Description
A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.