TrickMo Android trojan uses TON, SOCKS5 to pivot phones

A new TrickMo Android trojan variant uses The Open Network (TON) for command-and-control and adds SOCKS5 proxying and SSH tunneling to route traffic through infected phones. ThreatFabric observed the variant between January and February 2026 and identified active targeting of banking and cryptocurrency wallet users in France, Italy and Austria.

Operators deliver TrickMo through phasing websites and dropper apps that impersonate an adult version of TikTok. The dropper downloads a runtime-loaded APK module named dex.module from attacker-controlled infrastructure. Observed dropper package names include com.app16330.core20461 and com.app15318.core1173, while payload packages appeared as uncle.collop416.wifekin78 and nibong.lida531.butler836.

The dex.module adds network reconnaissance and remote-network tools. It accepts commands such as curl, dnslookup, ping, telnet and traceroute, providing a remote shell-like capability to examine the victim’s current network, including any internal corporate or home networks the device is connected to, according to ThreatFabric.

The module implements SSH tunneling and an authenticated SOCKS5 proxy that lets an operator route traffic through the compromised phone as an exit node. Researchers warned routing traffic through a victim’s device can help attackers bypass IP-based fraud checks used by banks, e-commerce sites and cryptocurrency exchanges.

TrickMo embeds a native TON proxy that the host APK starts on a loopback port at process start. The trojan’s HTTP client is configured to address C2 requests to .adnl hostnames resolved through the TON overlay instead of using conventional DNS and public internet routes, ThreatFabric reported.

Earlier TrickMo variants abused Android accessibility services and a socket.io channel to hijack one-time passwords, stream screens live, log keystrokes and intercept SMS messages. Security teams first flagged TrickMo in late 2019 after CERT-Bund and IBM X-Force described its ability to steal OTPs via accessibility features.

The updated build retains credential phishing, keystroke logging, screen recording, live streaming and SMS interception functions. Analysts also found dormant code referencing the Pine hooking framework and extensive NFC permissions; those items are present in code but not active.

ThreatFabric described the changes as shifting TrickMo from a credential-theft-focused trojan to a managed foothold with explicit network-operational features and warned the architecture reduces the effectiveness of standard takedown and network-blocking measures.