⚡ Key Takeaways

TrickMo C (Jan-Feb 2026) routes Android banking trojan C2 through the TON blockchain, defeating traditional domain takedowns. It also adds SOCKS5 network pivoting that makes fraud transactions appear to originate from the victim’s own IP.

Bottom Line: Banks must shift to device-binding authentication (FIDO2), instrument apps against Accessibility Service abuse, and score IP consistency within sessions — not just IP reputation — to detect SOCKS5-proxied fraud.

Read Full Analysis ↓

🧭 Decision Radar

Relevance for Algeria
High
Algeria’s growing mobile banking sector (CCP mobile, bank apps) and the widespread use of SMS-based OTP for authentication make TrickMo-class attacks directly relevant to Algerian banks and fintech operators
Infrastructure Ready?
Partial
Algerian banks have fraud detection systems but most rely on IP reputation rather than behavioral consistency scoring; SOCKS5-pivot attacks are not yet accounted for in standard fraud models
Skills Available?
Partial
Mobile security expertise exists within major banks but threat intelligence partnerships (FS-ISAC equivalent) are not yet standard; the 3-month disclosure gap from ThreatFabric would leave Algerian institutions unaware
Action Timeline
Immediate
Algerian banks and fintech operators should review OTP-dependent authentication and add Accessibility Service abuse detection to mobile apps within the current sprint cycle
Key Stakeholders
Algerian banks’ security teams, Bank of Algeria (regulatory oversight of banking security), mobile banking app developers, fintech security architects
Decision Type
Tactical
This article offers tactical guidance for near-term implementation decisions.

Quick Take: TrickMo C’s blockchain C2 and SOCKS5 pivoting represent a direct threat to Algerian mobile banking infrastructure, where SMS OTP remains the dominant second factor and fraud detection relies on IP reputation. Algerian bank security teams should immediately review authentication architecture toward device-bound credentials and implement runtime Accessibility Service abuse detection in their mobile apps — both are achievable within a single sprint cycle.

Advertisement

What TrickMo C Actually Does

TrickMo has been active since late 2019, accumulating 40 documented variants across 22 C2 infrastructures by October 2024. ThreatFabric’s analysis of the latest variant — TrickMo C — reveals a meaningful architectural upgrade: the malware abandoned conventional internet infrastructure for C2 communications and moved entirely to The Open Network (TON) blockchain overlay.

The core attack capability remains device takeover. TrickMo abuses Android’s Accessibility Service to give operators a real-time interactive view of the compromised handset. The attack chain works as follows:

  • Credential theft: Fullscreen WebView overlays impersonate the legitimate banking app login screens
  • OTP interception: SMS messages are silently suppressed; the trojan captures and forwards one-time passwords before they reach the user
  • Screen recording and keylogging: Every input is captured in parallel with the overlay attack
  • Gesture replay: Accessibility service permissions allow operators to replay biometric-like gestures remotely

TrickMo C’s lures, identified from campaign tags (Tic_Italy_FB, Tic_France_FB, Tic_AT), are distributed via phishing websites posing as TikTok or streaming apps. Targets in France, Italy, and Austria were confirmed during January to February 2026.

The TON C2 Architecture — Why Domain Takedowns No Longer Work

The critical innovation in TrickMo C is the C2 transport layer. According to The Hacker News’s technical coverage, the malware carries an embedded native TON proxy that starts on a loopback port at process initialization. All C2 requests route through .adnl hostname addresses — 256-bit identities resolved inside the TON decentralized overlay network — rather than through the public DNS hierarchy.

The practical consequence: the operator’s endpoints do not exist as registered domain names. When law enforcement or security vendors identify a TrickMo C2 server and request a domain registrar to suspend it, there is no domain to suspend. The blockchain address persists regardless of what happens in the public DNS ecosystem.

Traditional takedown playbooks relied on three steps: identify the malicious domain, contact the registrar, and force suspension. TON infrastructure breaks step two entirely. The only effective suppression path is disrupting the TON network itself — impractical given its decentralized architecture — or preventing devices from establishing the initial TON proxy connection through network-layer controls.

Advertisement

The SOCKS5 Pivot — How Fraud Detection Gets Defeated

Beyond C2 evasion, TrickMo C introduces SOCKS5 proxying capabilities that turn infected devices into programmable network exit nodes. According to Bleeping Computer’s reporting, the variant supports authenticated SOCKS5 proxy connections, SSH local and remote port forwarding, and network reconnaissance commands (curl, DNS lookup, ping, traceroute, telnet).

The fraud detection implication is significant. When an attacker uses a traditional remote-access tool to log into a banking app, the transaction originates from an IP address associated with a VPN, data center, or known bad actor. Fraud detection systems flag these origin points. With SOCKS5 pivoting through TrickMo-infected devices, the fraudulent transaction appears to originate from the victim’s own home or corporate network IP — the same IP that has processed hundreds of legitimate transactions previously. Behavioral profiling and IP reputation systems see a normal origin; the fraud passes.

The reconnaissance module extends this further: TrickMo C can probe the victim device’s local network (corporate WiFi, home router) using the embedded network tools. A compromised personal phone connected to a corporate network becomes a reconnaissance beachhead against internal systems.

What Banks and Fintech Teams Must Do

The combination of TON-based C2 and SOCKS5 network pivoting renders several standard mobile fraud controls insufficient. Security teams need to revisit their threat model against device-takeover malware specifically.

1. Shift Authentication Assurance Toward Device-Binding, Away From OTP

TrickMo C intercepts OTPs at the SMS or notification layer before the user sees them. Any authentication factor that travels through SMS or a notification on the compromised device is defeated by default. The defensive move is to bind authentication assertions to a specific registered device cryptographic key (FIDO2 passkeys, hardware-backed Android Keystore credentials) rather than to an OTP that can be relayed by an attacker with control of the device’s notification stack. This does not eliminate risk — a fully compromised device can still replay gestures — but it eliminates the simplest attack path (OTP interception) and forces adversaries to operate through noisier, more detectable channels.

2. Add Network Anomaly Scoring That Accounts for IP Consistency Within Sessions

Because TrickMo C SOCKS5 traffic appears to originate from the victim’s own IP, IP reputation alone is insufficient. The counter-signal is behavioral: does the device’s IP address, network characteristics, and GPS/location data stay internally consistent across a session? A transaction that originates from a home network IP but where the device simultaneously reports a different physical location, or where the network latency profile suggests proxying, is a detectable anomaly. Fraud detection systems should score IP consistency (not just IP reputation) as a session-level signal. This is not a binary rule but a probabilistic input into a risk score.

3. Instrument Your Mobile Banking App Against Accessibility Service Abuse

TrickMo C requires Accessibility Service permissions to execute overlay attacks and gesture replay. Android’s Accessibility API was designed for accessibility tooling, but its capabilities are identical to what a remote-control trojan needs. Banks can instrument their mobile apps to detect at runtime whether another app with Accessibility permissions is running — and degrade or suspend session functionality when detected. Google Play Protect blocks known TrickMo C variants, but it operates on signatures; new variants ship within days of detection. App-level detection of Accessibility abuse is a compensating control that works against signature-evasive new variants.

4. Treat Threat Intelligence Sharing as an Operational Control, Not a PR Activity

ThreatFabric’s identification of TrickMo C in January to February 2026 was disclosed publicly in May 2026 — a three-month gap between discovery and public reporting. During that window, financial institutions without direct threat intelligence partnerships had no visibility into the campaign. Banks operating in France, Italy, and Austria — the confirmed target geographies — would have benefited from early access to ThreatFabric’s indicators of compromise (IOCs). Formal threat intelligence sharing relationships (FS-ISAC memberships, bilateral agreements with mobile security vendors) are the control that closes this gap. The IOC latency between discovery and public disclosure is where real fraud happens.

The Bigger Picture: Blockchain C2 as a Durable Infrastructure Pattern

TrickMo C is not an isolated case. The migration of malware C2 infrastructure to decentralized networks — TON, IPFS, blockchain-based DNS systems — is a documented trend across threat actor categories. The architectural appeal is straightforward: decentralized networks have no single registrar or authority that can respond to a takedown request. The same property that makes TON attractive for legitimate privacy-preserving applications makes it attractive as malware infrastructure.

For the banking sector, the implication is that the “takedown” playbook — long the primary remediation lever against banking trojans — has a structural limitation against blockchain-C2 variants. Security Affairs’ analysis notes that the same decentralization architecture used for legitimate TON privacy features is what makes it viable as malware infrastructure. The shift required is from reactive domain disruption toward proactive device-side detection, behavioral fraud scoring, and authentication architecture that remains secure even when the device OS layer is partially compromised. TrickMo C is a preview of a threat category that will grow as more malware families adopt decentralized infrastructure.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn
Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Advertisement

Frequently Asked Questions

Why does TrickMo C use the TON blockchain for command-and-control instead of traditional domains?

The TON (The Open Network) blockchain provides decentralized addressing that has no single registrar or authority that can respond to a takedown request. Traditional malware C2 infrastructure relies on registered domain names — when law enforcement or security vendors identify a malicious domain, they can contact the registrar to force suspension. TrickMo C uses 256-bit .adnl addresses resolved inside the TON decentralized overlay network, which means there is no domain to suspend. The only effective suppression paths are disrupting the TON network itself (impractical given its decentralized architecture) or blocking devices from establishing the initial TON proxy connection through network-layer controls.

How does TrickMo’s SOCKS5 proxying defeat bank fraud detection systems?

Traditional mobile banking fraud detection relies heavily on IP reputation: transactions originating from VPNs, data centers, or known malicious IP addresses are flagged as suspicious. TrickMo C turns infected Android devices into SOCKS5 network exit nodes, meaning fraudulent transactions appear to originate from the victim’s own home or corporate network IP — the same IP that has processed hundreds of legitimate transactions previously. Behavioral profiling and IP reputation systems see a normal origin. The effective counter-signal is not IP reputation but behavioral consistency: whether the device’s IP address, network characteristics, and physical location data remain internally consistent across a session.

What authentication methods are resistant to TrickMo’s OTP interception?

TrickMo C intercepts one-time passwords at the SMS or push notification layer — any authentication factor that travels through the compromised device’s notification stack is defeated. The resistant alternative is device-bound cryptographic authentication: FIDO2 passkeys and hardware-backed Android Keystore credentials bind the authentication assertion to a specific registered device key that cannot be relayed by an attacker who controls the notification layer. This does not eliminate all risk (a fully compromised device can still replay gestures), but it eliminates the simplest attack path and forces adversaries to operate through noisier, more detectable channels.

Sources & Further Reading