TrickMo Android Banking Trojan: TON C2 and SOCKS5 Pivot Detection

A sophisticated evolution of the TrickMo Android banking trojan has been observed in the wild, marking a dangerous shift in mobile malware tactics. Between January and February 2026, researchers identified a new variant actively targeting banking and cryptocurrency users in France, Italy, and Austria. This variant abandons traditional HTTP-based C2 channels in favor of The Open Network (TON) for command-and-control, significantly complicating network detection and blocking efforts.

More critically, this iteration introduces SOCKS5 proxy capabilities, turning compromised Android devices into operational network pivots. This allows threat actors to route malicious traffic through the victim's mobile device, bypassing geofencing and IP-based reputation controls. Defenders in the financial sector must immediately update their detection playbooks to account for blockchain-based C2 infrastructure and unauthorized proxy usage on mobile endpoints.

Technical Analysis

Affected Platform: Android (specific versions not explicitly disclosed in the brief, but typically targets widely deployed versions).

Malware Family: TrickMo (Banking Trojan).

Attack Chain and Mechanics: The TrickMo variant employs a modular architecture relying on a runtime-loaded APK known as dex.module. This component is downloaded and executed dynamically, allowing the malware to update its functionality without requiring a full application re-installation, thereby evading static analysis that relies on the initial DEX file.

1. Initial Infection: Typically delivered via phishing campaigns or trojanized applications.
2. Runtime Loading: The payload retrieves and loads dex.module to extend functionality.
3. C2 Communication (TON): Unlike standard banking trojans using HTTP/S, this variant communicates over The Open Network (TON) protocol. TON is a decentralized layer-1 blockchain. Using this protocol allows the malware to blend in with legitimate cryptocurrency traffic and leverage the peer-to-peer nature of the network to resist takedowns.
4. Network Pivoting (SOCKS5): The malware establishes a SOCKS5 proxy on the infected device. This effectively turns the user's phone into a node in the attacker's botnet, usable to tunnel traffic to internal networks or to obscure the origin of attacks against external financial targets.

Exploitation Status: Confirmed active exploitation (In-the-wild). Specific campaigns observed in Europe (France, Italy, Austria).

Detection & Response

Detecting this threat requires a shift from looking for standard HTTP POST requests to identifying anomalous protocol usage and proxy services on mobile devices connected to the corporate network.

Sigma Rules

The following rules target the network pivot behavior (SOCKS5) and the use of the TON protocol, which are the primary differentiators of this variant.

---
title: Potential Android Network Pivot via SOCKS5
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects potential network pivot activity by identifying SOCKS5 proxy traffic (Port 1080) originating from mobile device segments or internal IPs. TrickMo uses SOCKS5 to pivot through the device.
references:
 - https://thehackernews.com/2026/05/new-trickmo-variant-uses-ton-c2-and.html
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.command_and_control
  - attack.t1090.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort: 1080
    Initiated: 'true'
  filter_main_localhost:
    DestinationIp:
      - '127.0.0.1'
      - '::1'
  condition: selection and not filter_main_localhost
falsepositives:
  - Legitimate use of SOCKS5 proxy by internal tools (rare on mobile)
level: high
---
title: Suspicious TON Protocol Connections from Non-Standard Clients
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects connections to The Open Network (TON) infrastructure. While standard TON clients exist, unexpected connections from corporate user agents or internal hosts to TON nodes may indicate C2 activity.
references:
 - https://thehackernews.com/2026/05/new-trickmo-variant-uses-ton-c2-and.html
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort|startswith: '1' # TON often uses non-standard high ports or requires broad scanning, this is a heuristic placeholder. In practice, utilize TON Node IP lists.
    # Ideally, use a threat intel feed for TON Nodes. Below is a generic heuristic for UDP/TCP to high ports often associated with P2P.
    Protocol:
      - udp
      - tcp
  condition: selection
falsepositives:
  - Legitimate Cryptocurrency wallet applications
level: medium


**KQL (Microsoft Sentinel / Defender)**

This KQL query hunts for SOCKS5 proxy usage in DeviceNetworkEvents. While TrickMo is Android, if devices are enrolled in Microsoft Defender for Endpoint (MDE) or logs are forwarded via Mobile Threat Defense (MTD) solutions, this telemetry will be available. It also checks CommonSecurityLog (firewall/proxy) for connections to known TON adnl ports (typically UDP/TCP).

// Hunt for SOCKS5 Proxy usage (Port 1080) indicative of TrickMo pivot
// Check DeviceNetworkEvents (MDE / MTD integration)
DeviceNetworkEvents
| where RemotePort == 1080
| where ActionType == "ConnectionSuccess" or ActionType == "ConnectionAllowed"
| summarize Count = count() by DeviceName, InitiatingProcessFileName, RemoteIp
| where Count > 5
| project DeviceName, InitiatingProcessFileName, RemoteIp, Count, Timestamp
| order by Count desc

// Check Network Firewall/Proxy logs for TON related patterns
// Note: TON nodes change frequently. This looks for high volume UDP traffic common in P2P DHT.
CommonSecurityLog
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Cisco")
| where DestinationPort >= 10000 and DestinationPort <= 65535
| where Protocol == "UDP"
| summarize Count = count() by SourceIP, DestinationIP, DestinationPort
| where Count > 1000 // Heuristic for high-volume P2P node sync
| project SourceIP, DestinationIP, DestinationPort, Count, TimeGenerated


**Velociraptor VQL**

This artifact hunts for processes listening on the SOCKS5 default port (1080). This is effective if Velociraptor is deployed on the mobile endpoint (via root or specific enterprise agent builds) or on a Linux host that might be communicating with the compromised mobile device.

-- Hunt for processes listening on SOCKS5 default port (1080)
-- This indicates a potential pivot point configured by TrickMo or similar malware
SELECT Pid, Name, Exe, Username, ListeningAddresses
FROM listen_sockets()
WHERE Port = 1080

-- Supplemental: Search for dex.module file artifacts on accessible mounts/storage
SELECT FullPath, Size, Mtime
FROM glob(globs="/**/dex.module")
WHERE Mtime > now() - 30d


**Remediation Script (Bash)**

Since TrickMo targets Android, remediation on the device itself typically requires an MDM wipe or app uninstall. However, to protect the network from the C2 and Pivot capabilities, we can harden Linux-based gateways or firewalls. This script blocks the standard SOCKS5 port and provides a framework for blocking known TON nodes (placeholder IPs).

#!/bin/bash
# Network Hardening Script against TrickMo C2 and Pivots
# Usage: sudo ./harden_trickmo.sh

echo "[+] Hardening network against TrickMo C2 and SOCKS5 pivots..."

# 1. Block outbound SOCKS5 (Port 1080) to prevent devices from being used as pivots
# or reaching external SOCKS5 proxies used by malware.
iptables -A OUTPUT -p tcp --dport 1080 -j DROP
iptables -A INPUT -p tcp --dport 1080 -j DROP

echo "[+] Blocked SOCKS5 traffic (Port 1080)."

# 2. Block TON Adnl Nodes (Example IPs - Replace with current Threat Intel)
# TrickMo uses TON for C2. Blocking known consensus nodes disrupts C2.
TON_NODES=(
    "5.161.69.96"   # Example TON Node
    "135.181.58.24" # Example TON Node
)

for IP in "${TON_NODES[@]}"; do
    iptables -A OUTPUT -d $IP -j DROP
    echo "[+] Blocked C2 IP: $IP"
done

# 3. Log and Drop remaining high-port UDP traffic often used by P2P protocols
# Caution: This may impact legitimate apps; adjust as needed.
# iptables -A OUTPUT -p udp --dport 10000:65535 -m limit --limit 5/min -j LOG --log-prefix "TON-P2P-DROP: "
# iptables -A OUTPUT -p udp --dport 10000:65535 -j DROP

echo "[+] Hardening complete. Saving rules..."
iptables-save > /etc/iptables/rules.v4

Remediation

1. Mobile Device Management (MDM) Action:

   • Block Installation: Enforce policies preventing the installation of apps from unknown sources (sideloading).
   • App Removal: Use MDM capabilities to remotely uninstall identified malicious applications. The initial dropper may masquerade as a legitimate utility or service.
   • Factory Reset: For devices confirmed to be infected with the dex.module runtime payload, a full factory reset is the only guaranteed method of remediation.

2. Network Segmentation:

   • Isolate mobile devices on a separate VLAN. Do not allow mobile devices to communicate directly with critical banking server segments.

3. Proxy Blocking:

   • Configure perimeter firewalls and web proxies to explicitly block outbound connections on TCP port 1080 (SOCKS5) from mobile subnets.

4. Threat Intelligence Updates:

   • Ensure that your network security infrastructure (NGFW, IDS) is updated with the latest IOCs for TrickMo, specifically the TON C2 node IPs and domains associated with this campaign.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub