Another Android banking malware has been spotted, and it’s called ‘TrickMo’. This is actually a new version of TrickMo, as this is not the first time we’re hearing about it.
TrickMo Android banking malware is back, and it’s more powerful than ever
This banking malware is targeting users in Europe, and it comes with new commands and uses The Open Network (TON) in order to achieve stealthy command-and-control communications.
Before we get into it, do note that TrickMo has been around since 2019. It was spotted in September 2019, and it remained in active development, reports Bleeping Computer. Back in October 2024, Zimperium analyzed 40 different variants of the malware. They’ve been active worldwide.
This latest variant has been discovered by ThreatFabric, and it has been observed since January. It disguises itself as TikTok or streaming apps and targets banking and cryptocurrency wallets of users in France, Italy, and Austria.
The main change comes down to The Open Network (TON)
The main new change from the last version is the aforementioned TON-based communication with the operator, which uses .ADNL addresses are routed through an embedded local TON proxy. That proxy is running on the infected devices.
TON uses a 256-bit identifier instead of a normal domain. That fact alone hides the IP address and communication port, which makes the real server infrastructure more difficult to find, block, or take down.
It targets banking credentials via phishing overlays, performs keylogging, screen recording, live screen streaming, SMS interception, OTP notification suppression, and more.
As always, ThreadFabric is urging Android users to download apps from Google Play in order to stay safe. On top of that, using apps from trusted publishers is always recommended.
The post A Dangerous Android Banking Malware Is Back — and It’s Harder to Track Down Than Ever appeared first on Android Headlines.
