An updated version of the Android malware TgToxic ( also known as ToxicPanda ) has been discovered by security analysts, indicating that the perpetrators are constantly making changes in response to public reports.
In a statement released this week, Intel 471 stated that the modifications to the TgToxic payloads reflect the actors ‘ ongoing surveillance of open source intelligence and show their commitment to strengthening the malware’s functions to improve security methods and keep scientists at bay.
In early 2023, Trend Micro initially identified TgToxic as a finance trojan that could spoof qualifications and funds from bank and finance apps. It has been detected in the wild since at least July 2022, primarily focusing on smart people in Taiwan, Thailand, and Indonesia.
Then in November 2024, Italian online fraud protection company Cleafy an updated version with wide-ranging data-gathering features, while also expanding its operating scope to include Italy, Portugal, Hong Kong, Spain, and Peru. A Chinese-speaking risk actor is reportedly responsible for the malware.
According to the most recent study conducted by Intel 471, the malware is spread through drop APK files, most likely via SMS messages or phishing websites. However, the precise delivery system remains unknown.
Improvements to the command-and-control ( C2 ) URL generation mechanism and improved emulator detection capabilities are some of the notable improvements that underscore ongoing efforts to evade analysis.
” The malware undertakes a comprehensive evaluation of the phone’s technology and system abilities to detect emulation”, Intel 471 said. To find discrepancies that are typical of imitated systems, the ransomware examines a set of unit properties, including company, model, producer, and fingerprint values.
Another major change is the switch from using forums like the Avid community developer forum to create false profiles that include an encoded string pointing to the real C2 server. The malware’s configuration has been changed to use forums like the Atlassian community developer forum.
The TgToxic APK is programmed to randomly pick one of the group forum URLs in the design, which acts as a C2 domain dying drop resolver.
The approach has a number of benefits, most notably that it makes it simpler for threat actors to switch to C2 servers by simply updating the neighborhood user account to point to the new C2 website without having to update the malware itself.
According to Intel 471,” This technique significantly extends the operational longevity of ransomware samples, keeping them useful as long as the user profiles on these forums remain active.”
In order to create new domain names for use as C2 machines, later versions of TgToxic, which were discovered in December 2024, move a stage further. Because the DGA can be used to make several domain names, allowing the attackers to move to a new website even if some are taken down, this makes the ransomware more resistant to disturbance efforts.
” TgToxic stands out as a very powerful Android banking trojan due to its advanced anti-analysis practices, including obfuscation, load encryption, and anti-emulation mechanisms that escape recognition by security equipment”, Approov CEO Ted Miracco said in a statement.
” Its use of dynamic command-and-control ( C2 ) strategies, such as domain generation algorithms ( DGA ), and its automation capabilities enable it to hijack user interfaces, steal credentials, and perform unauthorized transactions with stealth and resilience against countermeasures”.