- ThreatFabric discovered a new TrickMo.C variant targeting Android users in Europe
- Disguised as TikTok/streaming apps, it steals credentials, intercepts SMS, suppresses OTPs and enables live surveillance
- The victims are mostly located in France, Italy and Austria
Android users across Europe are being targeted with a new variant of a decade-old banking Trojan, researchers have revealed.
ThreatFabric has explained how it has been tracking a banking trojan called TrickMo.C since January 2026.
TrickMo is an Android banking Trojan that was first discovered in September 2019, but since then has been in active development, constantly receiving upgrades and new features. By 2024, more than 40 TrickMo variants existed, delivered through more than a dozen droppers and communicating with 22 separate command-and-control (C2) infrastructures.
Extract secrets from the French, Italians and Austrians
This latest version is disguised as TikTok and streaming apps. The exact deployment mechanism is unknown, but it is safe to assume that the crooks advertise it on third-party app repositories, on Telegram and social media channels, as well as through phishing and SEO poisoning.
Once installed on the target device, TrickMo.C creates a phishing overlay through which it can harvest login credentials and other valuable secrets. It can also log keystrokes, taps and strokes, record the screen, live stream the content directly to the attackers and intercept SMS messages. It can suppress OTP messages, modify users’ clipboard, filter messages and send screenshots.
All of this allows the attackers to steal credentials, log into people’s bank accounts and crypto wallets, make payments and wire transfers while keeping the victims completely in the dark. The victims are mostly located in France, Italy and Austria, it said.
What makes TrickMo.C stand out compared to previous versions is that it communicates with its operator via TON, a decentralized peer-to-peer network originally developed around the Telegram ecosystem. Instead of using publicly exposed servers, users communicate with the web through an encrypted overlay network.
The operators use ADNL addresses routed through an embedded local TON proxy running on the infected endpoint.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
