GoKawiilA new variant of the TrickMo Android banking malware, delivered in campaigns targeting users across Europe, introduces new commands and uses The Open Network (TON) for stealthy command-and-control communications.
The TrickMo banker was first spotted in September 2019 and has remained in active development, constantly receiving updates since then.
In October 2024, Zimperium analyzed 40 variants of the malware delivered via 16 droppers, communicating with 22 distinct command-and-control (C2) infrastructures, and targeting sensitive data belonging to users worldwide.
The latest variant was discovered by ThreatFabric, which tracks it as 'Trickmo.C'. The researchers have been observing this version since January.
In a report today, ThreatFabric says that the malware is disguised as TikTok or streaming apps and targets banking and cryptocurrency wallets of users in France, Italy, and Austria.
The key new feature in the current variant is the TON-based communication with the operator, which uses .ADNL addresses routed through an embedded local TON proxy running on the infected device.
TON is a decentralized peer-to-peer network originally developed around the Telegram ecosystem that allows devices to communicate with the web via an encrypted overlay network rather than publicly exposed internet servers.
TON uses a 256-bit identifier instead of a normal domain, which hides the IP address and communication port, thus making the real server infrastructure more difficult to identify, block, or take down.
“Traditional domain takedowns are largely ineffective because the operator’s endpoints do not rely on the public DNS hierarchy and instead exist as TON .adnl identities resolved inside the overlay network itself,” explains ThreatFabric.
“Traffic-pattern detection at the network edge sees only TON traffic, which is encrypted and indistinguishable from any other TON-enabled application's outbound flow.”
... continue reading