This devious Android malware has returned disguised as TikTok or streaming apps — and is now using blockchain to remain undetected

News
By published

A fake TikTok app is actually a banking trojan

Trojan
(Image credit: wk1003mike / Shutterstock)
  • ThreatFabric spotted new TrickMo.C variant targeting Android users in Europe
  • Disguised as TikTok/streaming apps, it steals credentials, intercepts SMS, suppresses OTPs, and enables live surveillance
  • Victims are mostly situated in France, Italy and Austria

Android users across Europe are being targeted with a new variant of a decade-old banking trojan, researchers have revealed.

ThreatFabric has explained how it has been tracking a banking trojan called TrickMo.C, since January 2026.

TrickMo is an Android banking trojan that was first spotted in September 2019, but since then has been in active development, constantly receiving upgrades and new features. By 2024, there were more than 40 TrickMo variants in existence, being delivered through more than a dozen droppers, and communicating with 22 separate command-and-control (C2) infrastructures.

Latest Videos From

Extracting secrets from the French, Italians, and Austrians

This latest version is being disguised as TikTok and streaming apps. The exact deployment mechanism is unknown, but it’s safe to assume the crooks are advertising it on third-party app repositories, on Telegram and social media channels, as well as through phishing and SEO poisoning.

When installed on the target device, TrickMo.C creates a phishing overlay through which it can harvest login credentials and other valuable secrets. It can also log keys, taps, and strokes, record the screen, livestream the contents directly to the attackers, and intercept SMS messages. It can suppress OTP notifications, modify the users’ clipboard, filter notifications, and send screenshots.

All of this allows the attackers to steal credentials, log into people’s bank accounts and crypto wallets, make payments and wire transfers, while keeping the victims entirely in the dark. The victims are mostly located in France, Italy, and Austria, it was said.

What makes TrickMo.C stand out compared to previous versions is that it communicates with its operator via TON, a decentralized peer-to-peer network originally developed around the Telegram ecosystem. Instead of using publicly exposed servers, users communicate with the web through an encrypted overlay network.

The operators use ADNL addresses routed through an embedded local TON proxy that runs on the infected endpoint.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.