← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.643
×
Tip
Pick your view
Analyst for full detail, Executive for the short version, or Plain & Simple if you are not a tech person.
Analyst
Executive
Plain & Simple
Executive Summary
A new variant of the TrickMo Android banking trojan has replaced its command-and-control infrastructure with the TON blockchain, making it far more difficult for law enforcement and ISPs to disrupt via traditional DNS sinkholing, domain seizure, or infrastructure takedowns. The malware targets banking and cryptocurrency wallet users in France, Italy, and Austria through fake TikTok and streaming app downloads, stealing login credentials and one-time passcodes. Organizations with mobile-banking-dependent employees or customers in those regions face elevated credential theft risk with no straightforward network-level countermeasure available.
Plain & Simple
Here’s what you need to know.
No jargon. Just the basics.
👤
Are you affected?
Probably, if you downloaded TikTok or a streaming app from outside the official app store on your Android phone.
🔓
What got out
Suspected: banking app usernames and passwords
Suspected: one-time codes sent to your phone for login
Suspected: cryptocurrency wallet login details
✅
Do this now
1 Delete any TikTok or streaming app you did not install from the Google Play Store. 2 Change the passwords for your banking and cryptocurrency apps right now. 3 Contact your bank if you see any charges or login activity you did not make.
👀
Watch for these
Login alerts from your bank for activity you did not do.
One-time codes arriving on your phone when you did not try to log in.
Money missing from your bank or crypto account without explanation.
🌱
Should you worry?
This is serious if you installed a fake app, but it only affects Android phones with apps downloaded outside the official store. If you only use apps from the Google Play Store, your risk is low.
Want more detail? Switch to the full analyst view →
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
TrickMo (tracked as Trickmo.C by ThreatFabric)
TTP Sophistication
HIGH
18 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Android devices; banking and cryptocurrency wallet applications; users in France, Italy, and Austria; delivery via TikTok and streaming app impersonation
Are You Exposed?
⚠
Your industry is targeted by TrickMo (tracked as Trickmo.C by ThreatFabric) → Heightened risk
⚠
You use products/services from Android devices; banking and cryptocurrency wallet applications; users in France → Assess exposure
⚠
18 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
Banking and cryptocurrency wallet credentials stolen by TrickMo.C can result in direct financial losses for affected customers and employees, with fraud liability exposure for financial institutions operating in France, Italy, and Austria. Because the C2 infrastructure runs on the TON blockchain, organizations cannot rely on ISPs, registrars, or law enforcement to disrupt the campaign infrastructure — response is entirely dependent on endpoint controls. Regulatory exposure exists under PSD2 and GDPR for financial institutions and processors in affected EU jurisdictions if customer credential compromise can be traced to inadequate mobile security controls.
You Are Affected If
Your employees or customers use Android devices to access banking or cryptocurrency wallet applications
Your organization operates in or serves users in France, Italy, or Austria
Managed or BYOD Android devices in your environment are permitted to sideload APKs from outside Google Play
Your mobile device management policy does not enforce application allowlisting or restrict unknown-source installs
Your authentication flows rely on SMS-based OTP without a fallback anti-interception control
Board Talking Points
A sophisticated Android trojan targeting banking and cryptocurrency apps in France, Italy, and Austria has moved to infrastructure that cannot be shut down by law enforcement or network-level controls — making it more persistent than prior variants.
The security team should verify that mobile device policies block sideloaded applications and that credentials for financial systems are protected by phishing-resistant authentication within the next 30 days.
Without these controls in place, compromised employee or customer devices could result in direct financial fraud, account takeovers, and regulatory exposure under EU payment and data protection rules.
PSD2 — campaign directly targets banking application credentials and OTP interception for users in EU member states (France, Italy, Austria); strong customer authentication requirements are implicated
GDPR — credential and financial data compromise of EU residents triggers breach notification assessment obligations under Article 33
Technical Analysis
TrickMo.C is a new variant of the TrickMo Android banking trojan, tracked by ThreatFabric, that has migrated its C2 channel from traditional DNS-based infrastructure to The Open Network (TON) blockchain overlay.
This eliminates the effectiveness of DNS sinkholing, domain seizure, and law enforcement-coordinated takedowns.
Core capabilities retained from earlier variants include credential harvesting from banking and crypto wallet applications, OTP interception, and screen capture.
New capabilities added in this variant include SSH tunneling, SOCKS5 proxy support, and expanded network reconnaissance commands. Distribution occurs via trojanized APKs impersonating TikTok and streaming applications, sideloaded outside official app stores. Relevant CWEs: CWE-923 (improper restriction of communication channel to intended endpoints), CWE-494 (download of code without integrity check), CWE-295 (improper certificate validation), CWE-287 (improper authentication). MITRE ATT&CK coverage includes T1481 (web service C2), T1090.003 (multi-hop proxy), T1437.001 (web protocols for C2), T1417 (input capture), T1412 (capture SMS messages), T1660 (phishing via trojanized apps), T1513 (screen capture), T1516 (input injection), T1624 (broadcast receivers for event-triggered execution), and T1571 (non-standard port usage), among others. No CVE identifier is associated with this campaign. No vendor patch applies; the threat vector is sideloaded APKs, not a patched application vulnerability.
Action Checklist IR ENRICHED
Triage Priority:
URGENT
Escalate immediately to senior IR leadership and legal/compliance if any evidence of successful OTP interception or unauthorized banking/crypto transaction is confirmed for users in France, Italy, or Austria, as these jurisdictions trigger GDPR breach notification obligations (72-hour window) and may activate PSD2 fraud reporting requirements for financial institutions.
1
Containment: Block installation of APKs from unknown sources on all managed Android devices via MDM policy. If your MDM supports application allowlisting, evaluate and enforce immediately on devices accessing corporate banking or financial applications. Restrict sideloading through Android Enterprise or equivalent policy.
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST SI-3 (Malicious Code Protection)
NIST CM-7 (Least Functionality)
CIS 2.3 (Address Unauthorized Software)
CIS 4.6 (Securely Manage Enterprise Assets and Software)
Compensating Control
For teams without enterprise MDM: use Android Enterprise Work Profile (free via Google Workspace free tier) to enforce 'Install from Unknown Sources = disabled' at the profile level. Manually audit via ADB: run 'adb shell settings get secure install_non_market_apps' on each enrolled device — a return value of '1' indicates sideloading is enabled and the device is at risk. For BYOD fleets with no MDM, distribute a conditional access policy requiring devices to pass Google Play Protect attestation before connecting to corporate banking portals, enforceable via free Entra ID Conditional Access (P1 license) or equivalent.
Preserve Evidence
Before enforcing the MDM block, capture: (1) a full inventory of installed packages on suspect devices via 'adb shell pm list packages -f -i' to identify non-Play-Store origins; (2) APK installer metadata from Android Settings > Apps > [app] > App Info > 'Install Source' to confirm sideload provenance; (3) network connection state at time of containment via 'adb shell netstat -antp' to document any live SOCKS5 or SSH tunnels active from the device before isolation; (4) device enrollment logs from your MDM showing last policy sync timestamp and compliance state — critical for establishing the window of exposure.
2
Detection: Query MDM and endpoint logs for APKs installed outside Google Play with package names or signing certificates mismatching TikTok's official distribution. Review network logs for connections to TON overlay network endpoints or unusual SOCKS5 and SSH tunnel activity originating from mobile devices. Monitor for unexpected OTP delivery events or authentication anomalies on banking and financial platforms for affected regions (France, Italy, Austria).
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST SI-4 (System Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-2 (Event Logging)
NIST IR-5 (Incident Monitoring)
CIS 8.2 (Collect Audit Logs)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
For teams without SIEM: (1) TikTok's official Play Store signing certificate fingerprint (SHA-256) is publicly documented — extract the certificate from the installed APK using 'apksigner verify --print-certs suspicious.apk' and compare against TikTok's known cert; any mismatch confirms a trojanized package. (2) For TON overlay detection, write a Suricata or Zeek rule matching DNS queries or TLS SNI to known TON bootstrap nodes (publicly listed in the TON documentation); free Zeek on a network tap will surface this without a SIEM. (3) For OTP interception detection, query your SMS gateway or authentication provider's API logs for OTP delivery records where the registered device identifier changed within 24 hours of delivery — this catches SIM-swap-adjacent and on-device OTP theft. MITRE ATT&CK T1437 (Application Layer Protocol) and T1636.003 (Protected User Data: SMS Messages) are the relevant technique references for signature development.
Preserve Evidence
Capture before proceeding to eradication: (1) full MDM application inventory export filtered to 'install source != com.android.vending (Google Play)' for all devices with banking app access in France, Italy, and Austria geos; (2) firewall or proxy logs filtered to TCP/UDP sessions on ports 1080 (SOCKS5) and 22 (SSH) originating from mobile device IP ranges — TrickMo.C uses these for tunneling exfiltrated credentials; (3) authentication platform logs (your banking SSO, mobile banking backend, or crypto wallet OAuth provider) showing OTP consumption events correlated against device fingerprint — look for OTPs consumed by a different device or IP than the one that initiated the session; (4) DNS query logs from your recursive resolver or mobile carrier showing lookups for TON DHT bootstrap addresses or .ton TLD resolution attempts.
3
Eradication: Remove any identified trojanized APKs through MDM remote wipe or selective app removal. Force re-enrollment of devices where sideloading occurred. Revoke and rotate credentials for any accounts accessed from a suspected compromised device, prioritizing banking and crypto wallet credentials.
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST AC-2 (Account Management)
NIST IA-5 (Authenticator Management)
CIS 5.3 (Disable Dormant Accounts)
CIS 6.2 (Establish an Access Revoking Process)
Compensating Control
For teams without enterprise MDM remote-wipe capability: (1) use ADB selective uninstall 'adb shell pm uninstall -k --user 0 <package.name>' to remove the trojanized TikTok/streaming APK without full device wipe, preserving forensic data on the device if needed; (2) for credential rotation on banking and crypto platforms without an IAM system, generate a priority list from your MDM application inventory of all accounts authenticated from compromised devices within the past 30 days and push mandatory password resets via each platform's admin console — crypto wallet seed phrases must be treated as fully compromised and wallet migration initiated; (3) disable TOTP/SMS OTP seeds for affected accounts and reissue — TrickMo.C's OTP interception means existing TOTP or SMS second factors on compromised devices are untrusted.
Preserve Evidence
Before issuing remote wipe or app removal commands: (1) pull a full application data backup via 'adb backup -apk -obb -all -f device_backup_<hostname>_<date>.adb' while device is still accessible — this preserves the malicious APK, its data directory, and any staged exfiltration files for forensic analysis; (2) extract shared preferences and SQLite databases from the TrickMo APK's data directory (typically '/data/data/<malicious.package.name>/') if rooted access or an MDM with deep inspection is available — these may contain harvested credentials, intercepted OTPs, or C2 configuration referencing TON bootstrap endpoints; (3) document the full list of accounts authenticated from the device across all banking and crypto platforms before revoking — required for downstream breach notification scoping.
4
Recovery: Validate that MDM policies blocking unknown-source APK installs are enforced and reporting clean. Monitor affected user accounts for anomalous login activity for a minimum of 30 days post-remediation. Confirm OTP delivery channels are not being intercepted by reviewing authentication logs for unusual OTP consumption patterns.
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST SI-4 (System Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-11 (Audit Record Retention)
CIS 6.3 (Require MFA for Externally-Exposed Applications)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
For teams without a dedicated monitoring platform: (1) schedule a daily cron job or PowerShell task to export MDM compliance reports and diff against a known-good baseline — any device reappearing as non-compliant within 30 days indicates re-infection or policy bypass; (2) configure your banking platform's admin alert (most major online banking admin consoles offer free anomaly email alerts) to flag logins from new device fingerprints, new geolocations, or out-of-band OTP consumption for the affected French, Italian, and Austrian user accounts; (3) for crypto wallet accounts, enable on-chain transaction monitoring using free tools such as Etherscan alerts or equivalent per-chain notification services to catch unauthorized outbound transfers that may result from pre-rotation credential theft not yet acted upon by the threat actor.
Preserve Evidence
During recovery validation, retain and review: (1) MDM compliance audit trail showing policy enforcement timestamps and device re-enrollment events — gaps between wipe and re-enrollment are windows where a device could reconnect to TON C2; (2) authentication platform logs covering the full 30-day monitoring window, specifically filtering on accounts flagged during eradication for any session initiated without the newly issued MFA credential — this detects credential reuse from pre-rotation theft; (3) network flow data for mobile device subnets showing any resumption of SOCKS5/SSH tunnel activity, which would indicate re-infection or a previously undetected device.
5
Post-Incident: This variant exposes a gap in mobile device management policy enforcement and user awareness around sideloaded applications. Conduct a review of mobile security policy coverage for personally-owned (BYOD) devices accessing corporate financial systems. Evaluate whether TON blockchain traffic should be added to network monitoring signatures as an anomaly indicator, given its emerging use as a C2 transport.
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST RA-3 (Risk Assessment)
NIST SI-5 (Security Alerts, Advisories, and Directives)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 6.3 (Require MFA for Externally-Exposed Applications)
CIS 6.4 (Require MFA for Remote Network Access)
Compensating Control
For teams without a dedicated threat intelligence platform: (1) subscribe to free OSINT feeds tracking TrickMo IOCs — abuse.ch ThreatFox and MalwareBazaar both index TrickMo samples and C2 indicators at no cost; create a weekly review task to check for new TrickMo.C package hashes or TON bootstrap node updates; (2) write a free Suricata or Snort rule matching the TON DHT handshake pattern (documented in open TON protocol specs) and deploy on your network perimeter — this converts the post-incident finding into an active detection; (3) develop a 15-minute user awareness module specifically addressing fake TikTok and streaming app sideloading, targeting employees in France, Italy, and Austria who use mobile banking — this directly addresses the TrickMo.C delivery vector rather than generic phishing awareness.
Preserve Evidence
For the lessons-learned record and to support BYOD policy revision: (1) compile the full timeline of device non-compliance events from MDM logs showing when sideloading policies were absent or unenforced — this establishes the policy gap duration for risk documentation; (2) retain all IOC artifacts collected during detection and eradication (trojanized APK hashes, TON endpoint addresses, anomalous authentication records) and contribute to a sector ISAC (FS-ISAC for financial sector, given France/Italy/Austria banking targeting) to support broader community defense; (3) document whether any BYOD devices were involved that fell outside MDM policy scope — the count and access level of unmanaged BYOD devices touching banking systems is the primary metric for scoping the residual risk and justifying a formal BYOD mobile security policy revision.
Recovery Guidance
Post-containment, enforce hardware-backed Android attestation (SafetyNet/Play Integrity API) as a condition of banking application access, preventing re-enrollment of rooted or compromised devices that could re-establish TrickMo's TON C2 channel. Monitor all previously affected user accounts across banking and crypto platforms for a minimum of 30 days, specifically watching for low-and-slow credential reuse from credentials harvested before rotation. Given TrickMo.C's use of the TON blockchain as a resilient C2 — a mechanism immune to DNS sinkholing — treat any resumption of TON overlay network traffic from mobile device ranges as an active re-infection indicator requiring immediate device quarantine.
Key Forensic Artifacts
Trojanized APK file recovered from device storage or MDM inventory — extract SHA-256 hash and compare against TrickMo.C samples indexed on MalwareBazaar; verify APK signing certificate against TikTok's official certificate (available from Play Store APK via apksigner) to confirm trojanization
Android package installer logs at '/data/system/packages.xml' and '/data/system/packages-backup.xml' — these persist install source metadata and timestamps for all installed APKs, including sideloaded ones, and establish the infection timeline even after app removal
Network flow records (NetFlow/IPFIX or firewall session logs) filtered to SOCKS5 (TCP/1080) and SSH (TCP/22) sessions originating from mobile device IP ranges — TrickMo.C's tunneling activity over these protocols is the primary network-layer indicator of active C2 communication via the TON overlay
Authentication platform OTP consumption logs correlated against session device fingerprint — specifically, records where an OTP was delivered to a registered device but consumed by a different IP, user agent, or device ID, indicating on-device interception by TrickMo.C's overlay attack capability
DNS query logs from the organization's recursive resolver or mobile network showing resolution attempts for TON DHT bootstrap nodes or .ton TLD addresses — these queries appear before TrickMo.C establishes its blockchain-based C2 channel and represent the earliest network-visible indicator of infection
Detection Guidance
Detection options are limited at the network layer due to TON blockchain C2; focus on endpoint and behavioral signals.
On managed Android devices, use MDM logs to identify APKs installed from sources outside Google Play, flag any package claiming to be TikTok or a streaming service that was not installed via the official store.
At the network layer, look for SOCKS5 proxy traffic or SSH tunnel establishment originating from mobile devices, particularly to non-corporate endpoints.
Monitor authentication logs on banking portals and financial platforms for users in France, Italy, and Austria for credential stuffing patterns or OTP exhaustion. MITRE T1481 (web service C2 via TON), T1090.003 (multi-hop proxy), T1412 (SMS capture), and T1417 (input capture) are the highest-signal techniques to hunt against. Behavioral indicators include: unexpected accessibility service grants on Android devices, apps requesting SMS read permissions that are not messaging applications, and anomalous screen capture activity. No public IOC list (hashes, IPs, domains) has been published at time of writing; monitor ThreatFabric's threat research directly for updated indicators as they become available.
Indicators of Compromise (2)
Export as
Splunk SPL
KQL
Elastic
Copy All (2)
1 domain
1 hash
Type Value Enrichment Context Conf.
⌘ DOMAIN
TON blockchain overlay (no specific domain)
VT
US
TrickMo.C routes C2 traffic through the TON blockchain network; no seized or sinkholeable domain exists. Check ThreatFabric research for updated IOCs.
LOW
# HASH
Not publicly confirmed in available sources
VT
MB
No APK hashes confirmed in tier-3 source reporting at time of writing. Retrieve from ThreatFabric's published TrickMo.C analysis.
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
No IOCs or MITRE techniques available for query generation.
Falcon API IOC Import Payload (1 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "TON blockchain overlay (no specific domain)",
"source": "SCC Threat Intel",
"description": "TrickMo.C routes C2 traffic through the TON blockchain network; no seized or sinkholeable domain exists. Check ThreatFabric research for updated IOCs.",
"severity": "medium",
"action": "no_action",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-09T00:00:00Z"
}
]
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1646
T1513
T1516
T1632.001
T1521
T1219
+12
A08:2021
A02:2021
A07:2021
SI-7
CM-3
SC-8
SC-17
IA-2
IA-8
+1
2.5
2.6
3.10
6.3
6.4
6.5
+1
MITRE ATT&CK Mapping
T1646
Exfiltration Over C2 Channel
exfiltration
T1513
Screen Capture
collection
T1516
Input Injection
defense-evasion
T1632.001
Code Signing Policy Modification
defense-evasion
T1521
Encrypted Channel
command-and-control
T1219
Remote Access Tools
command-and-control
T1409
Stored Application Data
collection
T1571
Non-Standard Port
command-and-control
T1417
Input Capture
collection
T1660
Phishing
initial-access
T1509
Non-Standard Port
command-and-control
T1437
Application Layer Protocol
command-and-control
T1481
Web Service
command-and-control
T1638
Adversary-in-the-Middle
collection
T1090.003
Multi-hop Proxy
command-and-control
T1624
Event Triggered Execution
persistence
Guidance Disclaimer
