TrickMo Android Malware Targets Banking and Authenticator Apps
Key Takeaways A sophisticated new variant of the TrickMo Android banking malware has emerged, featuring enhanced stealth and control capabilities. The malware actively targets users of banking,...
Key Takeaways
- A sophisticated new variant of the TrickMo Android banking malware has emerged, featuring enhanced stealth and control capabilities.
- The malware actively targets users of banking, digital wallet, and authenticator applications across Europe, specifically in France, Italy, and Austria.
- TrickMo spreads via deceptive apps, gains full device control through abused accessibility permissions, and communicates with attackers via the decentralized TON network, making detection and takedown difficult.
- The threat includes screen recording, keystroke logging, SMS interception, and OTP suppression, effectively bypassing multi-factor authentication and traditional fraud detection.
- No direct patch is available for the malware itself; user vigilance and robust mobile threat detection solutions are critical for mitigation.
A highly advanced and significantly more evasive variant of the TrickMo Android banking malware has been identified, posing a severe threat to mobile banking and financial application users. This updated iteration, first tracked by analysts in early 2026, represents a substantial overhaul of the existing TrickMo platform, making it considerably more challenging to detect and neutralize than its predecessors.
Table Of Content
The malware is currently engaged in active campaigns targeting individuals utilizing banking applications, digital wallets, and authenticator tools across Europe, specifically observed in France, Italy, and Austria. This surge in activity places sensitive financial data and account access at significant risk, according to a recent report by ThreatFabric’s Mobile Threat Intelligence Team.
Distribution of this new TrickMo variant primarily occurs through fraudulent applications. These include counterfeit TikTok apps disseminated via Facebook advertising campaigns and a deceptive application masquerading as “Live Streaming.” Once installed, TrickMo employs social engineering tactics to trick users into granting broad accessibility permissions on their Android devices. This critical step effectively hands over complete control of the device to the attacker, transforming the victim’s smartphone into a remote-controlled instrument for criminal operations.
Advanced Evasion and Attack Capabilities
ThreatFabric analysts, who began tracking this variant between January and February 2026, emphasize that this is not an entirely new malware family but rather a deliberate and extensive platform upgrade. The new strain appears to be systematically replacing older TrickMo versions in ongoing operator campaigns.
This iteration of TrickMo is particularly concerning due to its expanded set of malicious functionalities. Beyond mere credential theft, it can record device screens, log keystrokes, intercept SMS messages, and silently suppress one-time password (OTP) notifications before the user ever sees them. This allows attackers to monitor user activity in real time, replay gestures, and directly interact with the compromised device, making fraudulent transactions significantly harder for victims and financial institutions to detect.
Furthermore, the new variant transforms infected devices into programmable network nodes. It leverages built-in SSH tunneling and an authenticated on-device SOCKS5 proxy to route malicious traffic. This sophisticated technique makes it appear as though illicit activities originate from the victim’s own network, effectively bypassing many traditional fraud detection systems employed by banks and cryptocurrency exchanges.
TrickMo’s Expanding Attack Surface
TrickMo is classified as Device Takeover malware, meaning it grants attackers full, interactive control over an infected smartphone. It achieves this by exploiting Android’s accessibility service, a legitimate built-in feature designed to assist users with disabilities. When abused, this service allows a malicious application to read and interact with virtually everything displayed on the screen.
Upon activation, TrickMo deploys full-screen overlay pages that meticulously mimic legitimate banking applications. As users innocently input their credentials into these convincing fake interfaces, TrickMo captures every keystroke and exfiltrates the data to the attacker’s command-and-control (C2) infrastructure in the background.
A critical component of its stealth capabilities is its ability to intercept and suppress incoming SMS messages and push notifications. This includes those containing one-time passwords, severely compromising the effectiveness of two-factor authentication (2FA) once a device is infected. Victims remain unaware that their crucial verification messages are being silently redirected and exploited.
Beyond its initial credential harvesting, TrickMo loads a runtime module named dex.module. This module, dynamically fetched from attacker-controlled infrastructure and injected into the running process, delivers the malware’s core remote-control engine. This dynamic loading makes the malware more resilient to detection by conventional static security scans.
Command-and-Control Through the TON Network
Perhaps the most significant advancement in this new TrickMo variant is its novel approach to command-and-control (C2) communication. Unlike previous versions that relied on standard internet infrastructure, which is more susceptible to tracing and takedown efforts, TrickMo now routes all its communications through The Open Network (TON). TON is a decentralized peer-to-peer overlay network, offering a high degree of anonymity and resilience.
Instead of connecting to conventional web addresses, which can be identified and blocked, TrickMo utilizes .adnl endpoints. These addresses are resolved entirely within the TON network and do not exist within the public internet’s domain name system. This design renders traditional domain takedown strategies largely ineffective, as security teams cannot simply cut the connection by blocking a standard malicious domain.
To further obscure its network activity, TrickMo replaces the device’s default DNS resolver with a DNS-over-HTTPS (DoH) service for any remaining clear-net connections. This technique hides the domains the malware queries from most network monitoring tools. The resulting traffic blends seamlessly with other legitimate TON activity, making it exceedingly difficult to detect at the network level.
What You Should Do
- Avoid Sideloading Apps: Only download applications from official and trusted sources like the Google Play Store. Avoid installing apps from third-party websites, unknown links, or suspicious advertisements.
- Exercise Caution with Permissions: Never grant accessibility permissions to applications unless you fully understand their purpose and absolutely trust the developer. Accessibility services offer powerful control and are frequently abused by malware.
- Keep Devices Updated: Regularly update your Android operating system and all installed applications. These updates often include critical security patches that protect against known vulnerabilities.
- Use Mobile Security Solutions: Implement reputable mobile threat detection and antivirus software on your Android devices. For financial institutions, deploy advanced mobile threat detection capable of identifying anomalous accessibility usage and unusual outbound tunneling behaviors.
- Be Skeptical of Social Engineering: Be wary of unsolicited messages, emails, or social media campaigns promoting “exclusive” or “adult” versions of popular apps like TikTok. These are common lures for malware distribution.
- Monitor Financial Accounts: Regularly review your banking, digital wallet, and cryptocurrency exchange statements for any suspicious or unauthorized transactions. Report any anomalies to your financial institution immediately.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 01889a9ec2abecb73e5e8792be68a4e3bc7dcbe1c3f19ac06763682d63aa8c21 | TrickMo Dropper — com.app16330.core20461 (TikTokApp18+) |
| SHA-256 | 177ef86c57c31b29850227dbc8288b735bea977587f2f0a49cfc4089a644a2c4 | TrickMo Dropper — com.app15318.core1173 (TikTokApp18+) |
| SHA-256 | e2e218ddf698b4c0099fd2a9619d6912a71f75beb51669a4e3ae4fc71f745d03 | TrickMo Host Application — uncle.collop416.wifekin78 (Google Play Services) |
| SHA-256 | 749bbcbc3e5d2d524344d52b6471dfa7b8d3ecdeb0b11ab82c843d497a056c8f | TrickMo Host Application — nibong.lida531.butler836 (Google Play Services) |
| SHA-256 | 143c0e12d2aa1bdecde59f273139dd5605d00f61cda7f626224e07390119c026 | Dex Module (old variant) — dex.module |
| SHA-256 | 4cd8635062ff6b0885216a0b1658ebcb2938b670f7ac08ecb0b5fb85d8973ea0 | Dex Module (new variant) — dex.module |
| Package Name | com.app16330.core20461 | TrickMo Dropper disguised as TikTokApp18+ |
| Package Name | com.app15318.core1173 | TrickMo Dropper disguised as TikTokApp18+ |
| Package Name | uncle.collop416.wifekin78 | TrickMo Host Application disguised as Google Play Services |
| Package Name | nibong.lida531.butler836 | TrickMo Host Application disguised as Google Play Services |
| Package Name | dex.module | Runtime-loaded offensive DEX module |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.