New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps
A new variant of the TrickMo Android banking trojan was identified in early 2026, featuring a major platform redesign. This malware targets banking, fintech, wallet, and authentication apps primarily in France, Italy, and Austria. It uses The Open Network (TON) with . adnl endpoints for its command-and-control infrastructure, avoiding traditional internet infrastructure. Upon gaining accessibility permissions, the malware enables operators to control the device in real time, including credential phishing, keylogging, screen recording, SMS interception, and remote control. New capabilities include network reconnaissance and SSH tunneling, allowing infected devices to act as network pivots and SOCKS5 proxy exit nodes. This enables attackers to bypass IP-based fraud detection while accessing victim networks. No official patch or remediation guidance is provided, and no known exploits in the wild are reported yet.
AI Analysis
Technical Summary
This threat is a redesigned variant of the TrickMo Android banking trojan discovered between January and February 2026. Unlike previous versions, it has migrated its command-and-control infrastructure to The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. The malware targets users of banking, fintech, wallet, and authentication applications in France, Italy, and Austria. Once accessibility permissions are granted, operators gain extensive real-time control over the device, including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance and SSH tunneling, which allow the infected device to function as a programmable network pivot and SOCKS5 proxy exit node. This capability helps attackers evade IP-based fraud detection systems while accessing victim networks. The malware hashes are provided for detection purposes. There is no indication of known exploits in the wild or available patches.
Potential Impact
The malware enables attackers to take full control of infected Android devices with granted accessibility permissions. This includes stealing credentials, intercepting SMS messages, recording screens, logging keystrokes, and remotely controlling the device. The addition of network reconnaissance and SSH tunneling allows attackers to use infected devices as network pivots and proxy nodes, facilitating stealthy lateral movement and evasion of IP-based fraud detection. The targeting of banking, fintech, wallet, and authentication apps in specific European countries suggests a focused financial crime impact. No known exploits in the wild have been reported yet, but the capabilities pose a significant risk to affected users.
Mitigation Recommendations
No official patch or remediation guidance is currently available for this malware variant. Since it relies on accessibility permissions to gain control, users and organizations should be cautious about granting such permissions to untrusted applications. Monitoring for indicators of compromise such as the provided malware hashes can aid detection. Users in affected regions should be vigilant for suspicious app behavior and avoid installing apps from untrusted sources. Security teams should consult the referenced vendor advisory and threat intelligence sources for updates. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Affected Countries
France, Italy, Austria
Indicators of Compromise
- hash: c25f7fb9f4e1f5f7c2c9c25c0d827b04
- hash: df63a73bf700053d47080f07a612f143
- hash: 1e4e8c4289d00e54be118e54e1144ac9ebbf4c79
- hash: eae15d3974eb669b14737e9aa17fc706bd1a7ec8
- hash: 01889a9ec2abecb73e5e8792be68a4e3bc7dcbe1c3f19ac06763682d63aa8c21
- hash: 143c0e12d2aa1bdecde59f273139dd5605d00f61cda7f626224e07390119c026
- hash: 177ef86c57c31b29850227dbc8288b735bea977587f2f0a49cfc4089a644a2c4
- hash: 4cd8635062ff6b0885216a0b1658ebcb2938b670f7ac08ecb0b5fb85d8973ea0
- hash: 749bbcbc3e5d2d524344d52b6471dfa7b8d3ecdeb0b11ab82c843d497a056c8f
- hash: e2e218ddf698b4c0099fd2a9619d6912a71f75beb51669a4e3ae4fc71f745d03
New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps
Description
A new variant of the TrickMo Android banking trojan was identified in early 2026, featuring a major platform redesign. This malware targets banking, fintech, wallet, and authentication apps primarily in France, Italy, and Austria. It uses The Open Network (TON) with . adnl endpoints for its command-and-control infrastructure, avoiding traditional internet infrastructure. Upon gaining accessibility permissions, the malware enables operators to control the device in real time, including credential phishing, keylogging, screen recording, SMS interception, and remote control. New capabilities include network reconnaissance and SSH tunneling, allowing infected devices to act as network pivots and SOCKS5 proxy exit nodes. This enables attackers to bypass IP-based fraud detection while accessing victim networks. No official patch or remediation guidance is provided, and no known exploits in the wild are reported yet.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat is a redesigned variant of the TrickMo Android banking trojan discovered between January and February 2026. Unlike previous versions, it has migrated its command-and-control infrastructure to The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. The malware targets users of banking, fintech, wallet, and authentication applications in France, Italy, and Austria. Once accessibility permissions are granted, operators gain extensive real-time control over the device, including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance and SSH tunneling, which allow the infected device to function as a programmable network pivot and SOCKS5 proxy exit node. This capability helps attackers evade IP-based fraud detection systems while accessing victim networks. The malware hashes are provided for detection purposes. There is no indication of known exploits in the wild or available patches.
Potential Impact
The malware enables attackers to take full control of infected Android devices with granted accessibility permissions. This includes stealing credentials, intercepting SMS messages, recording screens, logging keystrokes, and remotely controlling the device. The addition of network reconnaissance and SSH tunneling allows attackers to use infected devices as network pivots and proxy nodes, facilitating stealthy lateral movement and evasion of IP-based fraud detection. The targeting of banking, fintech, wallet, and authentication apps in specific European countries suggests a focused financial crime impact. No known exploits in the wild have been reported yet, but the capabilities pose a significant risk to affected users.
Mitigation Recommendations
No official patch or remediation guidance is currently available for this malware variant. Since it relies on accessibility permissions to gain control, users and organizations should be cautious about granting such permissions to untrusted applications. Monitoring for indicators of compromise such as the provided malware hashes can aid detection. Users in affected regions should be vigilant for suspicious app behavior and avoid installing apps from untrusted sources. Security teams should consult the referenced vendor advisory and threat intelligence sources for updates. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.threatfabric.com/blogs/new-trickmo-variant-device-take-over-malware-targeting-banking-fintech-wallet-auth-app"]
- Adversary
- null
- Pulse Id
- 6a019c5f0a3344d92c4302a3
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashc25f7fb9f4e1f5f7c2c9c25c0d827b04 | — | |
hashdf63a73bf700053d47080f07a612f143 | — | |
hash1e4e8c4289d00e54be118e54e1144ac9ebbf4c79 | — | |
hasheae15d3974eb669b14737e9aa17fc706bd1a7ec8 | — | |
hash01889a9ec2abecb73e5e8792be68a4e3bc7dcbe1c3f19ac06763682d63aa8c21 | — | |
hash143c0e12d2aa1bdecde59f273139dd5605d00f61cda7f626224e07390119c026 | — | |
hash177ef86c57c31b29850227dbc8288b735bea977587f2f0a49cfc4089a644a2c4 | — | |
hash4cd8635062ff6b0885216a0b1658ebcb2938b670f7ac08ecb0b5fb85d8973ea0 | — | |
hash749bbcbc3e5d2d524344d52b6471dfa7b8d3ecdeb0b11ab82c843d497a056c8f | — | |
hashe2e218ddf698b4c0099fd2a9619d6912a71f75beb51669a4e3ae4fc71f745d03 | — |
Threat ID: 6a01a69bcbff5d8610ef204f
Added to database: 5/11/2026, 9:51:23 AM
Last enriched: 5/11/2026, 10:06:25 AM
Last updated: 5/11/2026, 4:47:07 PM
Views: 40
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.