Cybersecurity researchers have discovered an updated version of an Android malware called TgToxic (aka ToxicPanda), indicating that the threat actors behind it are continuously making changes in response to public reporting.
“The modifications seen in the TgToxic payloads reflect the actors’ ongoing surveillance of open source intelligence and demonstrate their commitment to enhancing the malware’s capabilities to improve security measures and keep researchers at bay,” Intel 471 said in a report published this week.
TgToxic was first documented by Trend Micro in early 2023, describing it as a banking trojan capable of stealing credentials and funds from crypto wallets as well as bank and finance apps. It has been detected in the wild since at least July 2022, mainly focusing on mobile users in Taiwan, Thailand, and Indonesia.
Then in November 2024, Italian online fraud prevention firm Cleafy detailed an updated variant with wide-ranging data-gathering features, while also expanding its operational scope to include Italy, Portugal, Hong Kong, Spain, and Peru. The malware is assessed to be the work of a Chinese-speaking threat actor.
Intel 471’s latest analysis has found that the malware is distributed via dropper APK files likely via SMS messages or phishing websites. However, the exact delivery mechanism remains unknown.
Some of the notable improvements include improved emulator detection capabilities and updates to the command-and-control (C2) URL generation mechanism, underscoring ongoing efforts to sidestep analysis efforts.
“The malware conducts a thorough evaluation of the device’s hardware and system capabilities to detect emulation,” Intel 471 said. “The malware examines a set of device properties including brand, model, manufacturer and fingerprint values to identify discrepancies that are typical of emulated systems.”
Another significant change is the shift from hard-coded C2 domains embedded within the malware’s configuration to using forums such as the Atlassian community developer forum to create bogus profiles that include an encrypted string pointing to the actual C2 server.
The TgToxic APK is designed to randomly select one of the community forum URLs provided in the configuration, which serves as a dead drop resolver for the C2 domain.
The technique offers several advantages, foremost being that it makes it easier for threat actors to change C2 servers by simply updating the community user profile to point to the new C2 domain without having to issue any updates to the malware itself.
“This method considerably extends the operational lifespan of malware samples, keeping them functional as long as the user profiles on these forums remain active,” Intel 471 said.
Subsequent iterations of TgToxic discovered in December 2024 go a step further, relying on a domain generation algorithm (DGA) to create new domain names for use as C2 servers. This makes the malware more resilient to disruption efforts as the DGA can be used to create several domain names, allowing the attackers to switch to a new domain even if some are taken down.
“TgToxic stands out as a highly sophisticated Android banking trojan due to its advanced anti-analysis techniques, including obfuscation, payload encryption, and anti-emulation mechanisms that evade detection by security tools,” Approov CEO Ted Miracco said in a statement.
“Its use of dynamic command-and-control (C2) strategies, such as domain generation algorithms (DGA), and its automation capabilities enable it to hijack user interfaces, steal credentials, and perform unauthorized transactions with stealth and resilience against countermeasures.”