TrickMo Adopts TON Blockchain for Secure Mobile Communication
A New Variant of the TrickMo Android Banker Malware Emerges
Researchers have identified a new variant of the TrickMo Android banking malware that utilizes The Open Network (TON) for covert command-and-control communications.
Key Features of the Latest Variant:
- Disguises itself as popular applications such as TikTok or streaming services
- Targets users in France, Italy, and Austria, primarily aiming at their banking and cryptocurrency wallets
- Uses TON-based communication with the operator, making traditional domain takedown methods less effective
- Operates with a modular design, featuring a two-stage structure consisting of a host APK serving as the loader and persistence layer, and a runtime environment known as the Pine runtime
- Leverages various capabilities to target banking credentials, including phishing overlays, keylogging, screen recording, live screen streaming, SMS interception, OTP notification suppression, clipboard modification, notification filtering, and screenshot capturing
“According to ThreatFabric, the newly added functionalities include ‘curl dnsLookup ping telnet traceroute SSH tunneling remote port forwarding, and authenticated SOCKS5 proxy support.’
The researchers have also noted the presence of the Pine runtime hooking framework, although it remains inactive without installed hooks.
Important Advisory for Android Users:
Nearly 99% of what Mythos found is still unpatched, and a recent exploit demonstrated the chaining of four zero-days to bypass both renderer and OS sandboxes.