TrickMo variant targets European banks

Android banking malware is back in a familiar form, but the plumbing underneath has changed in a way that makes defenders’ lives harder. ThreatFabric says a new TrickMo variant has been active since January and February 2026 in campaigns hitting users in France, Italy, and Austria. The malware still steals credentials and takes over phones, but now it hides its command traffic inside TON, a decentralized overlay network, instead of relying on ordinary internet infrastructure. That one change matters a lot — because the old playbook of finding a server and blocking a domain stops working nearly as well. ### What is TrickMo, exactly? TrickMo is an Android banking trojan, but “trojan” undersells it. This thing is really device-takeover malware. Once a victim grants accessibility permissions, the operator can watch the screen, replay gestures, capture typed text, throw fake login overlays on top of real apps, intercept SMS, suppress notifications, and generally drive the phone like a remote terminal. That makes it useful not just for stealing passwords, but for pushing through fraud while the victim’s own device supplies the trusted session. (threatfabric.com) ### What changed in this variant? ThreatFabric tracks the new build as a direct evolution rather than a whole new family. The visible tricks are mostly the same, but the architecture was reworked. The loader, configuration storage, app identity, and operator command set were all updated, and ThreatFabric says this version is progressively replacing the older TrickMo variant in active campaigns. Basically, the attackers did a platform redesign, not a cosmetic refresh. (threatfabric.com) ### Why does TON matter so much? Because it hides where the attacker really lives. This variant sends command-and-control traffic through TON using.adnl identities and an embedded local TON proxy on the infected device. Instead of connecting to a normal server name that defenders can seize, sinkhole, or block, the malware talks through TON’s encrypted overlay. Think of it like swapping a storefront address for a meeting point inside a maze — defenders can still see movement, but pinning it to a takedown target gets much harder. (threatfabric.com) ### What can the operators do now? More networking than before. The new command set includes curl, ping, telnet, traceroute, DNS lookup, SSH tunneling, remote and local port forwarding, and authenticated SOCKS5 proxy support. That means an infected phone is no longer just a place to steal banking credentials from. It can also become a programmable relay node — a way to bounce traffic, probe internal resources, or mask where follow-on activity is coming from. (threatfabric.com) ### Who is getting targeted? The campaigns ThreatFabric described were aimed at banking and cryptocurrency wallet users in France, Italy, and Austria. The company also says the malware targets banking, fintech, wallet, and authenticator applications more broadly. BleepingComputer notes that the malware has been disguised as TikTok and streaming apps, which fits the usual mobile-banking-malware pattern — lure the user into sideloading something that looks harmless, then pressure them into granting accessibility access. (threatfabric.com) ### Why are banks worried about “authenticator” apps too? Because stealing the password is no longer the hard part. Modern fraud controls lean on second factors, push approvals, and one-time codes. TrickMo’s whole design is about living on the victim’s phone long enough to see those prompts, suppress the alerts, capture the codes, and steer the session in real time. If the same infected device holds the bank app and the authenticator app, the attacker gets a much cleaner path through defenses that were meant to stop account takeover. (threatfabric.com) ### Is this a one-off spike or a broader trend? It looks more like the next step in a trend. TrickMo has been around since 2019 and has stayed in active development, with researchers documenting dozens of variants and droppers over time. The interesting part now is not just that it still exists — it’s that operators are moving toward more resilient infrastructure and deeper device control, which suggests mobile banking malware crews are investing in durability, not smash-and-grab runs. (threatfabric.com) ### Bottom line? The big story is not “another Android banker showed up.” The big story is that TrickMo’s operators seem to be rebuilding their malware around infrastructure that is harder to map, block, and dismantle. For banks and incident teams, that means hunting behavior on the device and in the fraud flow matters more than hoping network takedowns will save the day. (threatfabric.com) (bleepingcomputer.com)