Security researchers have identified a new version of the Android malware known as TgToxic (also referred to as ToxicPanda), indicating that the malicious actors behind it continue to adapt and refine their tactics in response to publicly available information.
“The adjustments made to the TgToxic payloads demonstrate the malicious actors’ ongoing monitoring of open-source intelligence and highlight their dedication to enhancing the malware’s capabilities in order to evade detection and improve security measures,” according to a report published by Intel 471 this week.
TgToxic was first identified by Trend Micro in early 2023 as a banking trojan capable of stealing sensitive information and funds from cryptocurrency wallets, as well as banking and financial applications. It has been detected in the wild since at least July 2022, primarily targeting mobile users in Taiwan, Thailand, and Indonesia.
In November 2024, the Italian online fraud prevention firm Cleafy provided details about an updated variant of the malware, which included extensive data-gathering features and expanded its operational scope to include Italy, Portugal, Hong Kong, Spain, and Peru. The malware is believed to be the work of a Chinese-speaking threat actor.
According to Intel 471’s latest analysis, the malware is distributed via dropper APK files, likely through SMS messages or phishing websites, although the exact delivery mechanism remains unknown.
Some notable improvements include enhanced emulator detection capabilities and updates to the command-and-control (C2) URL generation mechanism, highlighting the ongoing efforts to evade analysis.
“The malware performs a thorough evaluation of the device’s hardware and system capabilities to detect emulation,” Intel 471 explained. “It examines a set of device properties, including brand, model, manufacturer, and fingerprint values, to identify discrepancies typical of emulated systems.”
A significant change is the shift from hard-coded C2 domains embedded within the malware’s configuration to using forums, such as the Atlassian community developer forum, to create fake profiles that include an encrypted string pointing to the actual C2 server.
The TgToxic APK is designed to randomly select one of the community forum URLs provided in the configuration, which serves as a dead drop resolver for the C2 domain.
This technique offers several advantages, primarily making it easier for threat actors to change C2 servers by simply updating the community user profile to point to the new C2 domain without having to issue any updates to the malware itself.
“This method significantly extends the operational lifespan of malware samples, keeping them functional as long as the user profiles on these forums remain active,” Intel 471 noted.
Later iterations of TgToxic discovered in December 2024 take it a step further by relying on a domain generation algorithm (DGA) to create new domain names for use as C2 servers. This makes the malware more resilient to disruption efforts, as the DGA can be used to create multiple domain names, allowing the attackers to switch to a new domain even if some are taken down.
“TgToxic stands out as a highly sophisticated Android banking trojan due to its advanced anti-analysis techniques, including obfuscation, payload encryption, and anti-emulation mechanisms that evade detection by security tools,” Approov CEO Ted Miracco stated.
“Its use of dynamic command-and-control (C2) strategies, such as domain generation algorithms (DGA), and its automation capabilities enable it to hijack user interfaces, steal credentials, and perform unauthorized transactions with stealth and resilience against countermeasures.”
