How to Defend Against the New TrickMo Android Trojan Using TON and SOCKS5

Introduction

Cybersecurity researchers have uncovered a dangerous new variant of the TrickMo Android banking trojan. This iteration leverages The Open Network (TON) for command-and-control (C2) communications and utilizes SOCKS5 proxies to create network pivots, enabling the malware to stealthily target banking and cryptocurrency wallet users. Active between January and February 2026, the threat primarily affects users in France, Italy, and Austria. This guide provides a step-by-step approach to identifying, mitigating, and protecting against this sophisticated trojan, whether you are an individual user or a security professional.

What You Need

• An Android device (for testing or remediation) – ensure it is not compromised before starting.
• Access to a computer with internet connectivity for downloading security tools.
• A reputable mobile security suite (e.g., Malwarebytes, Bitdefender, Kaspersky).
• Network monitoring tools (e.g., Wireshark, Pi-hole, or proxy filters) for advanced analysis.
• Basic understanding of Android permissions and app management.
• Administrative access to your router for blocking malicious domains/IPs.
• A backup solution for critical data (cloud or external drive).

Step-by-Step Guide to Mitigate TrickMo

Step 1: Recognize the Threat Vector

The new TrickMo variant is delivered via a runtime-loaded APK, often disguised as a legitimate app. It uses a encrypted DEX module (dex.module) to execute malicious payloads after installation. Understand that TON (The Open Network) is used as a decentralized C2 channel, making traditional takedowns difficult. SOCKS5 proxies allow the malware to pivot through the network, hiding its true origin. Familiarize yourself with these techniques to better detect anomalies.

Step 2: Review App Permissions

Check all apps on your device for excessive permissions, especially those requesting Accessibility Service, SMS read, or overlay privileges. TrickMo often abuses Accessibility to steal credentials. Go to Settings > Apps > App Permissions and revoke any suspicious permissions. If an app requests permissions unrelated to its function (e.g., a calculator wanting SMS access), uninstall it.

Step 3: Install and Update Security Software

Download a trusted mobile security solution from the official Google Play Store. Perform a full device scan. Ensure the security app has real-time protection enabled. Some advanced tools can detect runtime-loaded APKs and suspicious DEX modules. If any threat is found, follow the app’s removal instructions.

Step 4: Monitor Network Traffic for TON and SOCKS5 Anomalies

If you have technical skills, set up network monitoring. TrickMo communicates with TON-based C2 servers using encrypted channels. Look for unusual outbound connections to TON-related domains or IPs, and SOCKS5 proxy traffic (commonly on port 1080). Use tools like Wireshark to capture packets. For home users, a Pi-hole can block known malicious domains. Add these domains to a blocklist: search for TrickMo-related IOCs from threat intelligence feeds.

Step 5: Check for Runtime-Loaded APKs

TrickMo loads a DEX module at runtime, which may not appear in the app’s installed files. Use file explorer apps with root access (if available) to inspect /data/data/[package_name]/files and /data/app for hidden APK files. Alternatively, run an Android debug bridge (ADB) command: adb shell pm list packages and cross-reference with known malware packages.

Step 6: Update Your Device and Apps

Keep your Android OS and all apps up to date. Security patches often close vulnerabilities exploited by Trojan distributors. Enable automatic updates in Settings > System > Advanced > System Update. Also update your security software to ensure it has the latest signatures for TrickMo.

Step 7: Harden Your Device

• Disable installation of apps from unknown sources (Settings > Security > Unknown Sources).
• Turn off Developer Options and USB debugging unless necessary.
• Use a firewall app (like NetGuard) to restrict background data for apps that don’t need it.
• Avoid sideloading apps from third-party stores – only use Google Play.

Step 8: Remediate a Confirmed Infection

If you detect TrickMo, immediately disconnect the device from the internet to stop C2 communication. Boot into Safe Mode (press and hold power, then long-press “Power off” until safe mode prompt appears). Uninstall the malicious app. Then scan with security software. For severe cases, perform a factory reset after backing up only essential data (contacts, photos) – ensure backups are scanned for malware.

Step 9: Educate and Monitor Targeted Regions (France, Italy, Austria)

If you are a security manager in these countries, warn users about phishing campaigns that distribute TrickMo. Monitor for SOCKS5 proxy usage and TON-based traffic. Implement endpoint detection and response (EDR) solutions that can detect runtime APK loading.

Tips for Long-Term Protection

• Stay informed: Subscribe to cybersecurity threat feeds for updates on TrickMo and other Android Trojans.
• Enable Play Protect: Google Play Protect scans apps automatically – ensure it is active.
• Use strong, unique passwords for banking and crypto accounts, and enable two-factor authentication (2FA) via authenticator apps.
• Be cautious of SMS phishing – TrickMo often spreads via smishing links. Never click on unsolicited links.
• Regularly review financial statements for unauthorized transactions, especially if you bank on your phone.
• Consider a dedicated device for sensitive activities (e.g., separate phone for banking) to reduce risk.