Cybersecurity researchers have found an up to date model of an Android malware referred to as TgToxic (aka ToxicPanda), indicating that the menace actors behind it are constantly making adjustments in response to public reporting.
“The modifications seen within the TgToxic payloads mirror the actors’ ongoing surveillance of open supply intelligence and display their dedication to enhancing the malware’s capabilities to enhance safety measures and maintain researchers at bay,” Intel 471 mentioned in a report printed this week.
TgToxic was first documented by Development Micro in early 2023, describing it as a banking trojan able to stealing credentials and funds from crypto wallets in addition to financial institution and finance apps. It has been detected within the wild since at the least July 2022, primarily specializing in cell customers in Taiwan, Thailand, and Indonesia.
Then in November 2024, Italian on-line fraud prevention agency Cleafy detailed an up to date variant with wide-ranging data-gathering options, whereas additionally increasing its operational scope to incorporate Italy, Portugal, Hong Kong, Spain, and Peru. The malware is assessed to be the work of a Chinese language-speaking menace actor.
Intel 471’s newest evaluation has discovered that the malware is distributed through dropper APK recordsdata doubtless through SMS messages or phishing web sites. Nevertheless, the precise supply mechanism stays unknown.
A few of the notable enhancements embody improved emulator detection capabilities and updates to the command-and-control (C2) URL technology mechanism, underscoring ongoing efforts to sidestep evaluation efforts.
“The malware conducts an intensive analysis of the gadget’s {hardware} and system capabilities to detect emulation,” Intel 471 mentioned. “The malware examines a set of gadget properties together with model, mannequin, producer and fingerprint values to establish discrepancies which are typical of emulated methods.”
One other vital change is the shift from hard-coded C2 domains embedded throughout the malware’s configuration to utilizing boards such because the Atlassian neighborhood developer discussion board to create bogus profiles that embody an encrypted string pointing to the precise C2 server.
The TgToxic APK is designed to randomly choose one of many neighborhood discussion board URLs offered within the configuration, which serves as a lifeless drop resolver for the C2 area.
The method affords a number of benefits, foremost being that it makes it simpler for menace actors to vary C2 servers by merely updating the neighborhood consumer profile to level to the brand new C2 area with out having to problem any updates to the malware itself.
“This methodology significantly extends the operational lifespan of malware samples, retaining them practical so long as the consumer profiles on these boards stay lively,” Intel 471 mentioned.
Subsequent iterations of TgToxic found in December 2024 go a step additional, counting on a website technology algorithm (DGA) to create new domains to be used as C2 servers. This makes the malware extra resilient to disruption efforts because the DGA can be utilized to create a number of domains, permitting the attackers to modify to a brand new area even when some are taken down.
“TgToxic stands out as a extremely refined Android banking trojan resulting from its superior anti-analysis strategies, together with obfuscation, payload encryption, and anti-emulation mechanisms that evade detection by safety instruments,” Approov CEO Ted Miracco mentioned in an announcement.
“Its use of dynamic command-and-control (C2) methods, corresponding to area technology algorithms (DGA), and its automation capabilities allow it to hijack consumer interfaces, steal credentials, and carry out unauthorized transactions with stealth and resilience in opposition to countermeasures.”