SOCKS5 Proxy for Network Pivoting
The latest version of the TrickMo Android banking trojan introduces a SOCKS5 proxy feature, allowing attackers to route network traffic through an infected device. This capability transforms compromised phones into network pivots, enabling cybercriminals to mask their activities behind the victim’s IP address and bypass network restrictions. The SOCKS5 integration significantly expands the malware’s utility beyond simple credential theft.
TON Blockchain for Command and Control
TrickMo now leverages The Open Network (TON) blockchain for its command and control infrastructure. By using TON’s decentralized architecture, the malware becomes more resilient against takedown attempts. Traditional C2 servers can be blocked or seized, but blockchain based C2 systems are far harder to disrupt. This approach adds a layer of anonymity for attackers and makes it more difficult for security teams to trace or intercept communications.
Evolving Android Threat Landscape
This evolution of TrickMo underscores the growing sophistication of mobile malware targeting financial institutions. The combination of blockchain C2 and proxy functionality presents new challenges for detection and response. Organizations with Android device fleets should monitor for unusual network traffic patterns and consider deploying additional endpoint protection that can identify proxy usage and blockchain communications.
Source: The Hacker News
