{
  "name": "New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps",
  "slug": "new-trickmo-variant-device-take-over-malware-targeting-banking-fintech-wallet-auth-apps",
  "description": "A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.",
  "published": "2026-05-11T09:07:43.650000+00:00",
  "created_at": "2026-05-11T09:56:23.021000+00:00",
  "modified_at": "2026-05-11T07:56:23+00:00",
  "created_at_opencti": "2026-05-11T09:56:23.021000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "accessibility abuse",
    "android",
    "banking trojan",
    "device takeover",
    "godfather",
    "network pivot",
    "socks5 proxy",
    "ssh tunnelling",
    "ton network",
    "trickmo"
  ],
  "tags": [
    "2026-05-11",
    "accessibility abuse",
    "android",
    "banking trojan",
    "device takeover",
    "godfather",
    "network pivot",
    "socks5 proxy",
    "ssh tunnelling",
    "ton network",
    "trickmo"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "92708e44-15a2-4ec9-b1a2-682dd91548cc",
        "name": "177ef86c57c31b29850227dbc8288b735bea977587f2f0a49cfc4089a644a2c4"
      },
      {
        "id": "16f218c7-cdca-43da-a01a-18f5f69e4821",
        "name": "4cd8635062ff6b0885216a0b1658ebcb2938b670f7ac08ecb0b5fb85d8973ea0"
      },
      {
        "id": "fa2dcee1-2f89-40b1-aed8-da9da3267cb6",
        "name": "e2e218ddf698b4c0099fd2a9619d6912a71f75beb51669a4e3ae4fc71f745d03"
      },
      {
        "id": "2760f0fb-03e2-4f2b-af5b-f31770d0b2ce",
        "name": "01889a9ec2abecb73e5e8792be68a4e3bc7dcbe1c3f19ac06763682d63aa8c21"
      },
      {
        "id": "6cf95154-1129-45db-bbf1-6a91848c738c",
        "name": "749bbcbc3e5d2d524344d52b6471dfa7b8d3ecdeb0b11ab82c843d497a056c8f"
      },
      {
        "id": "7748561a-c5f8-4688-b054-9f858871cd08",
        "name": "143c0e12d2aa1bdecde59f273139dd5605d00f61cda7f626224e07390119c026"
      }
    ],
    "malware": [
      {
        "id": "cea42bcb-4cd1-4b01-8a45-5b78ab2fa423",
        "name": "TrickMo",
        "slug": "trickmo"
      },
      {
        "id": "6a7adb81-62ee-4738-9de6-47e2620bc864",
        "name": "Godfather",
        "slug": "godfather"
      }
    ],
    "observables": [
      {
        "id": "",
        "name": "177ef86c57c31b29850227dbc8288b735bea977587f2f0a49cfc4089a644a2c4"
      },
      {
        "id": "",
        "name": "4cd8635062ff6b0885216a0b1658ebcb2938b670f7ac08ecb0b5fb85d8973ea0"
      },
      {
        "id": "",
        "name": "e2e218ddf698b4c0099fd2a9619d6912a71f75beb51669a4e3ae4fc71f745d03"
      },
      {
        "id": "",
        "name": "01889a9ec2abecb73e5e8792be68a4e3bc7dcbe1c3f19ac06763682d63aa8c21"
      },
      {
        "id": "",
        "name": "749bbcbc3e5d2d524344d52b6471dfa7b8d3ecdeb0b11ab82c843d497a056c8f"
      },
      {
        "id": "",
        "name": "143c0e12d2aa1bdecde59f273139dd5605d00f61cda7f626224e07390119c026"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Austria"
      },
      {
        "id": "",
        "name": "France"
      },
      {
        "id": "",
        "name": "Italy"
      },
      {
        "id": "",
        "name": "Finance"
      }
    ]
  },
  "external_refs": [
    {
      "id": "7bf4db71-d808-4c70-983c-7e51af33ec30",
      "standard_id": "external-reference--a1a66c52-8083-55fa-9323-7ce9d961e10b",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a019c5f0a3344d92c4302a3",
      "hash": null,
      "external_id": "6a019c5f0a3344d92c4302a3",
      "created": "2026-05-11T09:56:20.484Z",
      "modified": "2026-05-11T09:56:20.484Z",
      "createdById": null
    },
    {
      "id": "2b609e2d-c7b1-4b34-abf5-32e75c94a0ed",
      "standard_id": "external-reference--b03efe14-21b5-5682-9cf2-23f6bdc69488",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.threatfabric.com/blogs/new-trickmo-variant-device-take-over-malware-targeting-banking-fintech-wallet-auth-app",
      "hash": null,
      "external_id": null,
      "created": "2026-05-11T09:56:20.509Z",
      "modified": "2026-05-11T09:56:20.509Z",
      "createdById": null
    }
  ]
}