ThreatFabric has detailed TrickMo.C, a new variant of the TrickMo Android banking malware family that moves its command-and-control layer onto The Open Network using .adnl endpoints and an embedded local proxy. The user-facing malware behavior is familiar: credential overlays, keylogging, SMS and notification interception, screen streaming, and remote control after abusing Android accessibility permissions. The important change is underneath: the infected phone can now work as a programmable network pivot.
That shift matters because mobile banking malware is no longer only about stealing an OTP or imitating a bank screen. TrickMo.C adds reconnaissance, SSH tunnelling, and SOCKS5 proxying, allowing operators to route activity through the victim device. For fraud teams, that can make transactions and login attempts look closer to the customer’s normal mobile environment. For victims, it means a compromised phone may be useful to attackers even when no banking app is open.
Why the Proxy Capability Changes the Risk
ThreatFabric says TrickMo.C campaigns target banking and wallet users in France, Italy, and Austria, with lures including TikTok-themed campaign tags. Once accessibility permission is granted, the malware can present fullscreen WebView overlays, capture typed data, suppress notifications, and replay attacker gestures through the device. The same device can then become a traffic-exit node, which is useful for account takeover, fraud-session replay, and hiding operator infrastructure.
The practical triage point is specific: do not treat a suspicious banking overlay as the only symptom. Check whether the device shows unusual accessibility services, unknown VPN/proxy-like behavior, battery or network spikes while idle, unfamiliar apps posing as streaming or social-media tools, and login alerts that appear to come from the same phone after the user stopped using it. If a bank, wallet, or authenticator app was opened while the phone was infected, assume both credentials and session context may be exposed.
This connects to recent Gridinsoft coverage of CallPhantom scam apps and CloudZ OTP theft: attackers increasingly abuse the phone as part of the trust path, not just as a place where messages arrive. The safer response sequence is to disconnect the device, remove unknown apps only after preserving key evidence, revoke banking and wallet sessions from a clean device, rotate passwords, re-enroll MFA when needed, and review recent payment, card, wallet, and authenticator activity for actions that used the compromised handset as cover.
References
- ThreatFabric: “New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps,” May 11, 2026. Report
