The platform that forms the basis of the virus has been deliberately re-engineered for stealth, resilience, and operator reach. The virus is different from any other currently in circulation thanks to its network layer, where the bot’s command-and-control traffic has been moved off the conventional internet entirely and onto The Open Network (TON). The malware has been rewritten and has undergone a substantial platform redesign.
How it works
TrickMo, when activated under the guise of a working link or through other deceptive methods, proceeds to take over the device. Once it receives accessibility-service permissions, the bot’s on-device automation kicks in, allowing the operator to gain a real-time interactive view of the device.
If executed successfully, the malware can lead to credential phishing, as it may overlay webpages with a fake UI that appears legitimate.
It may also keylog and capture all text typed by users, intercept real-time SMS messages and notifications, and enable on-device network pivoting.
Since the virus no longer reaches its operator over the conventional internet, the primary command-and-control transport has been moved onto The Open Network (TON). This is a decentralised peer-to-peer overlay network originally created for Telegram, complete with its own routing and naming layer.
Beyond all other changes, the new variant expands the operational role of infected devices through SSH tunnelling and authenticated SOCKS5 proxying, effectively turning compromised phones into programmable network pivots and traffic exit nodes whose connections may originate from the victim’s own network environment.
Remaining vigilant against suspicious links and maintaining strong security practices can help users stay protected from the virus.
