TrickMo Variant Routes Android Trojan Traffic Through TON

ThreatFabric identified a new TrickMo Android banking trojan variant (TrickMo C) active in Jan–Feb 2026 against users in France, Italy and Austria; the variant embeds a native TON proxy to route C2 via The Open Network (TON) blockchain, making traditional domain takedowns ineffective. It retains device-takeover capabilities (accessibility abuse, WebView overlays, keylogging, screen streaming, OTP suppression) and adds programmable network pivoting (curl, dnslookup, ping, telnet, traceroute) plus an SSH client and on-device SOCKS5 proxy to route attacker traffic through victims' IPs, increasing fraud and reconnaissance potential.