This devious Android malware has returned disguised as TikTok or streaming apps — and is now using blockchain to remain undetected

ThreatFabric has explained how it has been tracking a banking trojan called TrickMo.C, since January 2026.

TrickMo is an Android banking trojan that was first spotted in September 2019, but since then has been in active development, constantly receiving upgrades and new features. By 2024, there were more than 40 TrickMo variants in existence, being delivered through more than a dozen droppers, and communicating with 22 separate command-and-control (C2) infrastructures.

Extracting secrets from the French, Italians, and Austrians

This latest version is being disguised as TikTok and streaming apps. The exact deployment mechanism is unknown, but it’s safe to assume the crooks are advertising it on third-party app repositories, on Telegram and social media channels, as well as through phishing and SEO poisoning.

When installed on the target device, TrickMo.C creates a phishing overlay through which it can harvest login credentials and other valuable secrets. It can also log keys, taps, and strokes, record the screen, livestream the contents directly to the attackers, and intercept SMS messages. It can suppress OTP notifications, modify the users’ clipboard, filter notifications, and send screenshots.

All of this allows the attackers to steal credentials, log into people’s bank accounts and crypto wallets, make payments and wire transfers, while keeping the victims entirely in the dark. The victims are mostly located in France, Italy, and Austria, it was said.

What makes TrickMo.C stand out compared to previous versions is that it communicates with its operator via TON, a decentralized peer-to-peer network originally developed around the Telegram ecosystem. Instead of using publicly exposed servers, users communicate with the web through an encrypted overlay network.

The operators use ADNL addresses routed through an embedded local TON proxy that runs on the infected endpoint.