Cybersecurity researchers have found an up to date model of an Android malware known as TgToxic (aka ToxicPanda), indicating that the risk actors behind it are repeatedly making adjustments in response to public reporting.
“The modifications seen within the TgToxic payloads replicate the actors’ ongoing surveillance of open supply intelligence and display their dedication to enhancing the malware’s capabilities to enhance safety measures and hold researchers at bay,” Intel 471 stated in a report printed this week.
TgToxic was first documented by Development Micro in early 2023, describing it as a banking trojan able to stealing credentials and funds from crypto wallets in addition to financial institution and finance apps. It has been detected within the wild since at the very least July 2022, primarily specializing in cell customers in Taiwan, Thailand, and Indonesia.
Then in November 2024, Italian on-line fraud prevention agency Cleafy detailed an up to date variant with wide-ranging data-gathering options, whereas additionally increasing its operational scope to incorporate Italy, Portugal, Hong Kong, Spain, and Peru. The malware is assessed to be the work of a Chinese language-speaking risk actor.
Intel 471’s newest evaluation has discovered that the malware is distributed by way of dropper APK information possible by way of SMS messages or phishing web sites. Nonetheless, the precise supply mechanism stays unknown.
Among the notable enhancements embrace improved emulator detection capabilities and updates to the command-and-control (C2) URL era mechanism, underscoring ongoing efforts to sidestep evaluation efforts.
“The malware conducts a radical analysis of the system’s {hardware} and system capabilities to detect emulation,” Intel 471 stated. “The malware examines a set of system properties together with model, mannequin, producer and fingerprint values to establish discrepancies which can be typical of emulated methods.”
One other important change is the shift from hard-coded C2 domains embedded inside the malware’s configuration to utilizing boards such because the Atlassian neighborhood developer discussion board to create bogus profiles that embrace an encrypted string pointing to the precise C2 server.
The TgToxic APK is designed to randomly choose one of many neighborhood discussion board URLs offered within the configuration, which serves as a lifeless drop resolver for the C2 area.
The approach affords a number of benefits, foremost being that it makes it simpler for risk actors to alter C2 servers by merely updating the neighborhood person profile to level to the brand new C2 area with out having to situation any updates to the malware itself.
“This methodology significantly extends the operational lifespan of malware samples, protecting them purposeful so long as the person profiles on these boards stay lively,” Intel 471 stated.
Subsequent iterations of TgToxic found in December 2024 go a step additional, counting on a website era algorithm (DGA) to create new domains to be used as C2 servers. This makes the malware extra resilient to disruption efforts because the DGA can be utilized to create a number of domains, permitting the attackers to modify to a brand new area even when some are taken down.
“TgToxic stands out as a extremely refined Android banking trojan as a result of its superior anti-analysis methods, together with obfuscation, payload encryption, and anti-emulation mechanisms that evade detection by safety instruments,” Approov CEO Ted Miracco stated in a press release.
“Its use of dynamic command-and-control (C2) methods, resembling area era algorithms (DGA), and its automation capabilities allow it to hijack person interfaces, steal credentials, and carry out unauthorized transactions with stealth and resilience in opposition to countermeasures.”
Replace
Following the publication of the story, a Google spokesperson shared the under assertion with The Hacker Information –
Primarily based on our present detection, no apps containing this malware are discovered on Google Play. Android customers are mechanically protected in opposition to recognized variations of this malware by Google Play Shield, which is on by default on Android units with Google Play Companies. Google Play Shield can warn customers or block apps recognized to exhibit malicious conduct, even when these apps come from sources exterior of Play.
(The story was up to date after publication to incorporate a response from Google.)
