MK
Muhammed Koca
BLOG & IT SOLUTIONS
TR EN
Home Blog About
Yazılım & İşletim Sistemi
100%

TrickMo Android Banker: TON Blockchain Based C2 Communication Analysis

Check out the new variant of the TrickMo malware that communicates C2 over the TON blockchain. Read our guide to technical analysis and defensive strategies.

Contents

Overview

TrickMo is an advanced malware focused on stealing banking information, specifically targeting Android users in Europe. The latest variant of the software makes it harder to detect by communicating covertly via The Open Network (TON) blockchain instead of traditional C2 (Command-and-Control) servers.

Threat Analysis

TrickMo has the ability to record screens, capture SMS, and steal two-factor authentication (2FA) codes by exploiting accessibility services on the device. The new variant aims to bypass network traffic analysis by using blockchain transactions as a messaging channel to receive C2 instructions.

Detection and Investigation Steps

  • Network Traffic Monitoring: Examine traffic to suspicious TON nodes on the device.
  • Accessibility Services: Check 'Accessibility' permissions in the Settings menu and deauthorize suspicious applications.
  • Static Analysis: Examine suspicious services in the AndroidManifest.xml file by decompiling the APK file.
    • Warning: Malware tries to gain device administrator rights (Device Admin). In this case, returning the device to factory settings is the only definitive solution.

    Defense and Prevention Commands

    To block malicious traffic at the network level, you can apply the following restrictions on your corporate firewall:

    # Sample rule to block traffic to TON blockchain nodes
iptables -A OUTPUT -d ton.org -j DROP
iptables -A OUTPUT -d ton-node.com -j DROP

    Tips for User Safety

    Tip: Download apps only from the official Google Play Store and always keep the 'Unknown Sources' option turned off.

    Since TrickMo can monitor the device's screen remotely, attention should be paid to 'screen sharing' or 'remote access' warnings in banking applications. If you are receiving a suspicious 'Google Play Service' update alert on the device, this may be a social engineering tactic by TrickMo.

    Conclusion

    The use of TON-based C2 allows attackers to increase their anonymity. It is critical to restrict the access of such malware to blockchain networks by using DNS filtering and EDR (Endpoint Detection and Response) solutions in corporate networks.

    Related Articles

    View All
    Yazılım & İşletim Sistemi

    JDownloader Website Security Breach: Malware Analysis and Response

    JDownloader website was hacked! How do you protect your system against the Python RAT malware? Step-by-step technical cleaning and safety guide.

    Yazılım & İşletim Sistemi

    Scalability in SOC Operations: Why More Analysts Aren't the Solution

    To overcome alert fatigue in SOC teams, instead of increasing staff, explore AI-powered automation strategies.

    Yazılım & İşletim Sistemi

    Law Enforcement Analysis of Illegal Marketplace Operations and Cybersecurity

    Check out German authorities' Crimenetwork operation and operational security lessons for cybersecurity teams.