Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Home/Threats/TrickMo Android Malware Targets Banking and Authenticator Apps
Threats

TrickMo Android Malware Targets Banking and Authenticator Apps

Key Takeaways A sophisticated new variant of the TrickMo Android banking malware has emerged, featuring enhanced stealth and control capabilities. The malware actively targets users of banking,...

David kimber
David kimber
May 12, 2026 5 Min Read
42 0

Key Takeaways

  • A sophisticated new variant of the TrickMo Android banking malware has emerged, featuring enhanced stealth and control capabilities.
  • The malware actively targets users of banking, digital wallet, and authenticator applications across Europe, specifically in France, Italy, and Austria.
  • TrickMo spreads via deceptive apps, gains full device control through abused accessibility permissions, and communicates with attackers via the decentralized TON network, making detection and takedown difficult.
  • The threat includes screen recording, keystroke logging, SMS interception, and OTP suppression, effectively bypassing multi-factor authentication and traditional fraud detection.
  • No direct patch is available for the malware itself; user vigilance and robust mobile threat detection solutions are critical for mitigation.

A highly advanced and significantly more evasive variant of the TrickMo Android banking malware has been identified, posing a severe threat to mobile banking and financial application users. This updated iteration, first tracked by analysts in early 2026, represents a substantial overhaul of the existing TrickMo platform, making it considerably more challenging to detect and neutralize than its predecessors.

Table Of Content

  • Key Takeaways
  • Advanced Evasion and Attack Capabilities
  • TrickMo’s Expanding Attack Surface
  • Command-and-Control Through the TON Network
  • What You Should Do

The malware is currently engaged in active campaigns targeting individuals utilizing banking applications, digital wallets, and authenticator tools across Europe, specifically observed in France, Italy, and Austria. This surge in activity places sensitive financial data and account access at significant risk, according to a recent report by ThreatFabric’s Mobile Threat Intelligence Team.

Distribution of this new TrickMo variant primarily occurs through fraudulent applications. These include counterfeit TikTok apps disseminated via Facebook advertising campaigns and a deceptive application masquerading as “Live Streaming.” Once installed, TrickMo employs social engineering tactics to trick users into granting broad accessibility permissions on their Android devices. This critical step effectively hands over complete control of the device to the attacker, transforming the victim’s smartphone into a remote-controlled instrument for criminal operations.

Advanced Evasion and Attack Capabilities

ThreatFabric analysts, who began tracking this variant between January and February 2026, emphasize that this is not an entirely new malware family but rather a deliberate and extensive platform upgrade. The new strain appears to be systematically replacing older TrickMo versions in ongoing operator campaigns.

This iteration of TrickMo is particularly concerning due to its expanded set of malicious functionalities. Beyond mere credential theft, it can record device screens, log keystrokes, intercept SMS messages, and silently suppress one-time password (OTP) notifications before the user ever sees them. This allows attackers to monitor user activity in real time, replay gestures, and directly interact with the compromised device, making fraudulent transactions significantly harder for victims and financial institutions to detect.

Furthermore, the new variant transforms infected devices into programmable network nodes. It leverages built-in SSH tunneling and an authenticated on-device SOCKS5 proxy to route malicious traffic. This sophisticated technique makes it appear as though illicit activities originate from the victim’s own network, effectively bypassing many traditional fraud detection systems employed by banks and cryptocurrency exchanges.

TrickMo’s Expanding Attack Surface

TrickMo is classified as Device Takeover malware, meaning it grants attackers full, interactive control over an infected smartphone. It achieves this by exploiting Android’s accessibility service, a legitimate built-in feature designed to assist users with disabilities. When abused, this service allows a malicious application to read and interact with virtually everything displayed on the screen.

Upon activation, TrickMo deploys full-screen overlay pages that meticulously mimic legitimate banking applications. As users innocently input their credentials into these convincing fake interfaces, TrickMo captures every keystroke and exfiltrates the data to the attacker’s command-and-control (C2) infrastructure in the background.

A critical component of its stealth capabilities is its ability to intercept and suppress incoming SMS messages and push notifications. This includes those containing one-time passwords, severely compromising the effectiveness of two-factor authentication (2FA) once a device is infected. Victims remain unaware that their crucial verification messages are being silently redirected and exploited.

Beyond its initial credential harvesting, TrickMo loads a runtime module named dex.module. This module, dynamically fetched from attacker-controlled infrastructure and injected into the running process, delivers the malware’s core remote-control engine. This dynamic loading makes the malware more resilient to detection by conventional static security scans.

Command-and-Control Through the TON Network

Perhaps the most significant advancement in this new TrickMo variant is its novel approach to command-and-control (C2) communication. Unlike previous versions that relied on standard internet infrastructure, which is more susceptible to tracing and takedown efforts, TrickMo now routes all its communications through The Open Network (TON). TON is a decentralized peer-to-peer overlay network, offering a high degree of anonymity and resilience.

Instead of connecting to conventional web addresses, which can be identified and blocked, TrickMo utilizes .adnl endpoints. These addresses are resolved entirely within the TON network and do not exist within the public internet’s domain name system. This design renders traditional domain takedown strategies largely ineffective, as security teams cannot simply cut the connection by blocking a standard malicious domain.

To further obscure its network activity, TrickMo replaces the device’s default DNS resolver with a DNS-over-HTTPS (DoH) service for any remaining clear-net connections. This technique hides the domains the malware queries from most network monitoring tools. The resulting traffic blends seamlessly with other legitimate TON activity, making it exceedingly difficult to detect at the network level.

What You Should Do

  • Avoid Sideloading Apps: Only download applications from official and trusted sources like the Google Play Store. Avoid installing apps from third-party websites, unknown links, or suspicious advertisements.
  • Exercise Caution with Permissions: Never grant accessibility permissions to applications unless you fully understand their purpose and absolutely trust the developer. Accessibility services offer powerful control and are frequently abused by malware.
  • Keep Devices Updated: Regularly update your Android operating system and all installed applications. These updates often include critical security patches that protect against known vulnerabilities.
  • Use Mobile Security Solutions: Implement reputable mobile threat detection and antivirus software on your Android devices. For financial institutions, deploy advanced mobile threat detection capable of identifying anomalous accessibility usage and unusual outbound tunneling behaviors.
  • Be Skeptical of Social Engineering: Be wary of unsolicited messages, emails, or social media campaigns promoting “exclusive” or “adult” versions of popular apps like TikTok. These are common lures for malware distribution.
  • Monitor Financial Accounts: Regularly review your banking, digital wallet, and cryptocurrency exchange statements for any suspicious or unauthorized transactions. Report any anomalies to your financial institution immediately.

Indicators of Compromise (IoCs):-

Type Indicator Description
SHA-256 01889a9ec2abecb73e5e8792be68a4e3bc7dcbe1c3f19ac06763682d63aa8c21 TrickMo Dropper — com.app16330.core20461 (TikTokApp18+)
SHA-256 177ef86c57c31b29850227dbc8288b735bea977587f2f0a49cfc4089a644a2c4 TrickMo Dropper — com.app15318.core1173 (TikTokApp18+)
SHA-256 e2e218ddf698b4c0099fd2a9619d6912a71f75beb51669a4e3ae4fc71f745d03 TrickMo Host Application — uncle.collop416.wifekin78 (Google Play Services)
SHA-256 749bbcbc3e5d2d524344d52b6471dfa7b8d3ecdeb0b11ab82c843d497a056c8f TrickMo Host Application — nibong.lida531.butler836 (Google Play Services)
SHA-256 143c0e12d2aa1bdecde59f273139dd5605d00f61cda7f626224e07390119c026 Dex Module (old variant) — dex.module
SHA-256 4cd8635062ff6b0885216a0b1658ebcb2938b670f7ac08ecb0b5fb85d8973ea0 Dex Module (new variant) — dex.module
Package Name com.app16330.core20461 TrickMo Dropper disguised as TikTokApp18+
Package Name com.app15318.core1173 TrickMo Dropper disguised as TikTokApp18+
Package Name uncle.collop416.wifekin78 TrickMo Host Application disguised as Google Play Services
Package Name nibong.lida531.butler836 TrickMo Host Application disguised as Google Play Services
Package Name dex.module Runtime-loaded offensive DEX module

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

OpenAI Daybreak Automates Vulnerability Detection and Fixing

Next Post

Critical Android Zero-Click Vulnerability Gets PoC Exploit

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Vulnerability in Windows Drivers Lets Attackers Disable Security Software
July 1, 2026
Automotive Manufacturer Boosts SOC Triage Speed, Closes Supplier Security Gap
July 1, 2026
Microsoft Teams Blocks Uninvited Bots From Meetings
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us