The Android banking trojan TrickMo has taken a notable step forward by adopting The Open Network, or TON, as part of its covert communications architecture. Researchers say the change marks an escalation in how mobile malware operators hide command-and-control activity and reduce their dependence on infrastructure that defenders can easily seize or block.
Traditional banking malware usually relies on centralized servers to send instructions and receive stolen data. That architecture has an obvious weakness: once investigators identify the server or domain, they can block it, sinkhole it, or work with providers to take it down. TrickMo's use of blockchain changes that equation by moving key operational data into a more resilient, decentralized environment.
In practice, this means infected devices can retrieve infrastructure details or operational instructions from data published on TON rather than relying only on hardcoded domains or classic DNS-based paths. For defenders, that makes containment harder because there is no single obvious control point to cut off. The malware can shift toward a model that is more durable, less transparent, and more resistant to conventional takedown workflows.
That matters because TrickMo is not an experimental family with limited relevance. It has been active since 2019 and is tied to banking fraud operations that target financial credentials and, increasingly, crypto-related assets. Adding TON to the toolbox suggests the operators are adapting directly to better monitoring, faster incident response, and stronger enforcement pressure on traditional malware infrastructure.
The broader implication is that decentralized technologies are no longer just a financial or Web3 story. They are also becoming a defensive blind spot that malware developers can exploit when they want persistence and deniability. Security teams that focus only on domains, IPs, and conventional C2 patterns will have a harder time spotting or disrupting these newer operating models.