Ddos 
Image: Intel 471
A newly updated version of the TgToxic Android banking trojan has been observed in the wild, showcasing enhanced evasion techniques and a broader geographical focus. Initially discovered by Trend Micro in July 2022, TgToxic has primarily targeted mobile users in Southeast Asia, but recent developments indicate an expansion into Europe and Latin America.
Intel 471 mobile malware researchers have tracked multiple iterations of TgToxic, with each version demonstrating increased sophistication. The latest updates come in response to security researchersβ public disclosures, prompting its operators to adapt and refine their tactics.
“On Nov. 22, 2024, Intel 471 mobile malware researchers observed a campaign leveraging an updated version of TgToxic. We believe these updates could be a direct response to the detailed blog post published by Cleafy which exposed the functionality of the newer TgToxic version,” the report writes.
One of the key modifications includes a transition from hardcoded command-and-control (C2) infrastructure to a more resilient domain generation algorithm (DGA) system.
“The actors once again changed the way the malware obtains the C2 URL, from a dead drop location to a domain generation algorithm (DGA).”
TgToxic spreads primarily through social engineering campaigns, including:
- Phishing sites masquerading as legitimate services.
- Compromised social media accounts promoting fake financial or messaging applications.
- SMS-based phishing (smishing) attacks delivering malware-laden APKs.
Intel 471 reports that a recent campaign hosted malicious APK samples on an open directory at mta164.bwhite.com, although the precise method of delivery remains unclear. “We suspect these samples may have been delivered through short message service (SMS) texts, phishing websites or deceptive applications; however, we currently lack direct evidence confirming the specific methods used for their delivery.”
Recent versions of TgToxic demonstrate improved emulator detection capabilities, designed to evade security research environments. The trojan employs:
- Android system feature checks to detect missing hardware components.
- CPU architecture fingerprinting to identify emulators.
- System property analysis to flag virtualized environments such as QEMU and Genymotion.
“The latest samples of TgToxic were enhanced with multiple anti-emulation techniques to circumvent automated analysis systems. These techniques incorporate a multifaceted approach to system verification.”
TgToxicβs developers have made multiple changes to how the malware connects to its C2 servers:
- Previous versions relied on hardcoded domains.
- Second variant stored C2 addresses in encrypted forum posts (dead drop locations).
- Current variant now leverages a domain generation algorithm (DGA), dynamically creating new domains to evade takedowns.
“This shift may have been triggered by the reporting and subsequent removal of the dead drop accounts from various forums.”
This method significantly increases the malwareβs resilience against takedowns, making it more challenging for security teams to block its infrastructure.
With its evolving evasion tactics and global expansion, TgToxic remains a serious threat to Android users worldwide. Organizations and individuals alike must remain vigilant, employing robust cybersecurity measures to mitigate risks posed by this adaptive malware.
Related Posts:
- Data Breach at Okta Affects All Customer Support Users: Company Updates Scope
- From SideCopy to Transparent Tribe: Pakistan APTs Hit Indian Government With RATs
- New Android Banking Trojan Targets Indian Users Through Fake Apps
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
