TgToxic malware evolves with advanced anti-detection techniques

Cybersecurity researchers have identified a new variant of the TgToxic Android malware, also known as ToxicPanda, which highlighted its evolving threat as attackers use public reporting to their advantage, according to The Hacker News.

Originally documented by Trend Micro in early 2023, TgToxic functions as a banking trojan that targeted cryptocurrency wallets, banking, and financial apps. Since July 2022, it primarily targeted mobile users in Taiwan, Thailand, and Indonesia but has since expanded to Italy, Portugal, Hong Kong, Spain, and Peru.

The malware is believed to be operated by a Chinese-speaking threat actor. According to Intel 471, the updated TgToxic variant uses dropper APK files, likely distributed via SMS messages or phishing websites. The malware now also features improved emulator detection and updates to its command-and-control URL generation, allowing it to avoid detection.

Notably, the malware uses community forums such as Atlassian to host encrypted strings that direct to the actual C2 server, making it easier for attackers to change servers without updating the malware.

Recent updates include a domain generation algorithm, which enhances its resilience by allowing the creation of new domains if existing ones are blocked. TgToxic's advanced tactics include obfuscation, payload encryption, and anti-emulation techniques.

Despite its sophistication, Google confirmed no known infected apps on Google Play, with Google Play Protect automatically shielding users from detected threats.