Android banking malware continues to evolve as threat actors enhance existing malware families to evade detection and disruption.
A recently identified resurgence of the TrickMo Android banking trojan illustrates how mobile threats are incorporating alternative communication infrastructures and expanded surveillance capabilities to sustain operations and complicate defensive response efforts. The latest activity underscores persistent risks to mobile banking and cryptocurrency users, particularly in regions where these malware campaigns are actively targeting financial applications.
TrickMo is an Android banking malware family that has been active since at least 2019. Security researchers have tracked its continued development over several years, identifying numerous variants operating globally. By late 2024, researchers had documented dozens of distinct TrickMo variants, indicating sustained investment by threat actors in refining the malware’s capabilities.
Latest Variant Observed in Europe
According to recently published mobile threat intelligence research, a newly observed TrickMo variant has been active since January. This version disguises itself as legitimate consumer applications, including social media and streaming apps, to encourage installation. Observed targeting has focused on users in France, Italy and Austria, with the malware designed to compromise banking applications and cryptocurrency wallets on infected devices.
Use of The Open Network for Command-and-Control
A significant change in the latest TrickMo variant is its use of The Open Network (TON) for command-and-control communications. Instead of relying on traditional domain-based infrastructure, the malware uses 256-bit TON identifiers and .ADNL addresses that are routed through a local TON proxy embedded directly on infected devices.
This approach obscures the underlying IP address and communication port, making the backend infrastructure more difficult to identify, block or dismantle. As a result, the malware can maintain stealthier and more resilient communication with its operators.
Expanded Surveillance and Credential Theft Capabilities
The current TrickMo variant retains and expands traditional mobile banking trojan functionality. Reported capabilities include phishing overlays used to capture banking credentials, keylogging, screen recording, live screen streaming, SMS interception and suppression of one-time password notifications. Together, these features enable extensive monitoring of infected devices and facilitate unauthorized account access.
The Steady Maturation of Mobile Banking Malware
The reemergence of TrickMo highlights how mobile banking malware continues to mature through incremental enhancements rather than wholesale redesigns. By integrating alternative communication networks and expanding device surveillance capabilities, this malware family demonstrates a sustained focus on evasion and persistence.
As threat actors adopt stealthier communication infrastructures and expand device‑level surveillance capabilities, financial institutions must ensure their mobile security and risk management programs evolve accordingly.
How Schneider Downs Can Help
Schneider Downs supports financial institutions in identifying, assessing and responding to evolving mobile and digital banking risks. Our professionals assist organizations with cybersecurity risk assessments, mobile and application security reviews, threat and vulnerability management and incident preparedness, in addition to IT risk assessments, fraud risk advisory and third-party risk management programs. Together, these services are designed to help institutions strengthen control environments, enhance cyber resilience and address emerging threats across digital channels.
If your organization needs assistance in proactively addressing these risks, please contact our team at [email protected].
About Schneider Downs Financial Services
The Schneider Downs Financial Services industry group supports financial institutions as they navigate evolving risk, regulatory and governance challenges. Our professionals work with institutions to strengthen internal audit, risk advisory and related risk management programs that support sound decision-making, operational effectiveness and regulatory alignment.
Through services spanning internal audit, risk advisory, IT risk advisory, third-party risk management, fraud risk advisory and enterprise risk and compliance, we help financial institutions design and enhance resilient, risk-based programs aligned with their strategic objectives and operating environment.
To learn more, visit our Financial Services Industry Group page.
