"TrickMo carries an embedded native TON proxy that the host APK starts on a loopback port at process start. The bot's HTTP client is wired through that proxy, so every outbound command-and-control request is addressed to an .adnl hostname and resolved through the TON overlay."
TrickMo is an Android device takeover malware active since late 2019. It abuses Android accessibility services to hijack one-time passwords and includes credential phishing, keystroke logging, screen recording, live screen streaming, and SMS interception for full remote control. New TrickMo C variants use runtime-loaded APK components labeled dex.module, delivered via phasing websites and dropper apps. The updated component adds reconnaissance, SSH tunnelling, and SOCKS5 proxying so infected devices can act as programmable network pivots and traffic-exit nodes. A key architectural change uses the TON decentralized blockchain for stealthy C2. The malware starts an embedded native TON proxy on a loopback port, routes HTTP C2 traffic through it, and resolves .adnl hostnames via the TON overlay.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]