A new variant of the TrickMo banking trojan has been detected, notable for its innovative use of the TON network as a command and control infrastructure. Attackers implement SOCKS5 tunnels to create network pivots on infected Android devices, facilitating lateral movement into corporate networks. This combination allows them to hide communications and evade detection, marking an evolution in mobile attack techniques that demands new security strategies.
SOCKS5 Tunnels and TON: The New Attack Route on Android 🛡️
TrickMo leverages the TON network to camouflage its command and control communications, while SOCKS5 tunnels turn the Android device into a malicious proxy. This allows attackers to redirect traffic through the compromised terminal, establishing a pivot into internal networks without raising suspicion. The technique bypasses traditional blocks by using decentralized channels and non-standard network protocols, forcing security teams to integrate risk analysis and policy frameworks that consider the mobile device as a critical vector.
Your Android Is Now a Proxy, and Not for Watching Netflix 😅
Because nothing says trust like your phone becoming cybercriminals' favorite passageway. While you scroll through Instagram, TrickMo uses your Android as a SOCKS5 tunnel for an attacker to access your company's network. The worst part? They don't even pay you a toll. So now you know: if your phone is slower than usual, maybe it's not the battery—it's working for another boss. And it's not even paying into Social Security.