The TrickMo virus was first identified and tracked between January and February 2026 and was, at the time, regarded as an Android banking trojan family under active monitoring. While occurrences of its attacks had died down over the past few months, a new version of the virus has recently resurfaced and begun disrupting established financial systems.
The platform that underpins the virus has been deliberately re-engineered for stealth, resilience, and operator reach. The virus is different from any other currently in circulation, thanks to its network layer, which moves the bot’s command-and-control traffic off the conventional internet entirely onto The Open Network (TON). The malware has been rewritten and redesigned for a substantial platform.
How it works
TrickMo, when activated under the guise of a working link or through other deceptive methods, takes over the device. Once it receives accessibility-service permissions, the bot’s on-device automation kicks in, allowing the operator to gain a real-time interactive view of the device.
If executed successfully, the malware can lead to credential phishing, as it may overlay webpages with a fake UI that appears legitimate.
It may also keylog and capture all text typed by users, intercept real-time SMS messages and notifications, and enable on-device network pivoting.
Since the virus no longer reaches its operator via conventional internet, the primary command-and-control transport has been moved to The Open Network (TON). This is a decentralized peer-to-peer overlay network created for Telegram, complete with its own routing and naming layer.
Beyond all other changes, the new variant extends the operational role of infected devices through SSH tunneling and authenticated SOCKS5 proxying, effectively turning compromised phones into programmable network pivots and traffic exit nodes whose connections may originate within the victim’s network.
Remaining vigilant against suspicious links and maintaining strong security practices can help users stay protected from the virus.
