Cybersecurity researchers have discovered an updated version of Android malware called TgToxic (also known as toxicity), indicating that the threat actors behind it are making constant changes in response to public reports.
“The changes seen in the TGTOXIC payload reflect the ongoing surveillance of the actors’ open source intelligence, indicating their commitment to improving security measures and enhancing the malware capabilities that keep researchers at bay,” Intel 471 said in a report released this week.
TGTOXIC was first documented by Trend Micro in early 2023 and described it as a Trojan horse for Crypto Wallets and banks that can steal qualifications and funds from banks and financial apps. It focuses primarily on mobile users in Taiwan, Thailand and Indonesia, and has been detected in the wild since at least July 2022.
Then, in November 2024, Italian online fraud prevention company Cleafy detailed an updated variant with a wide range of data collection capabilities, expanding its operational scope, including Italy, Portugal, Hong Kong, Spain and Peru. Malware is rated as the job of Chinese-speaking threat actors.
The latest analysis of Intel 471 shows that malware is distributed via SMS messages or via Dropper APK files via phishing websites. However, the exact delivery mechanism remains unknown.
Notable improvements include improved emulator detection capabilities and an update to the command and control (C2) URL generation mechanism, highlighting the ongoing commitment to analytical efforts.
“Malware conducts a thorough evaluation of the hardware and system capabilities of the device to detect emulation,” Intel 471 says. “Malware examines a set of device properties, including brands, models, manufacturers, and fingerprint values to identify discrepancies typical of emulated systems.”
Another important change is to create a fake profile containing an encrypted string pointing to the actual C2 server, using forums such as the Atlassian Community Developer forum, from a hard-coded C2 domain embedded within the malware configuration.
The TGTOXIC APK is designed to randomly select one of the community forum URLs provided in a configuration that acts as a dead-drop resolver for a C2 domain.
This technique offers several advantages. This makes it easier for threat actors to modify the C2 server by simply pointing the community user profile to the new C2 domain without issuing an update to the malware itself.
“This method greatly extends the operational lifespan of malware samples and maintains functionality as long as the user profiles on these forums remain active,” Intel 471 said.
Subsequent iterations of TGTOXIC discovered in December 2024 rely on the Domain Generation Algorithm (DGA) to create a new domain name to use as a C2 server. This allows you to create multiple domain names using DGA, making malware more resilient to confusion efforts and allow you to switch to a new domain even if the attacker is removed.
“TGTOXIC stands out as a highly sophisticated Android Banking Trojan with advanced anti-analytic technology, including obfuscation, payload encryption, and ejection prevention mechanisms that avoid detection by security tools.”
“The use of dynamic command and control (C2) strategies such as domain generation algorithms (DGAs), and their automation capabilities allow users to hijack user interfaces, steal entitlements, and perform fraudulent transactions against fraudulent measurements.”
Source link
