Android Trojan TgToxic Evolves with Enhanced Capabilities

Summary

Intel 471 has released a blog detailing the latest updates to the TgToxic Android banking trojan, highlighting its evolving tactics and expanding reach. TgToxic, an Android banking trojan first identified by Trend Micro in July 2022, is designed to steal user credentials, cryptocurrency, and financial data. Initially targeting users in Southeast Asia, it spread through phishing sites and deceptive apps mimicking legitimate services, as well as compromised social media accounts and third-party platforms.

In October 2024, Cleafy researchers reported a new TgToxic variant, dubbed ToxicPanda, which was still in development. Though technically less sophisticated than earlier versions, it showed signs of expansion, including targeting European and Latin American banks. By November 22, 2024, Intel 471 researchers observed another TgToxic update, possibly in response to Cleafy’s findings. This version leveraged 25 community forums as encrypted dead drop locations to store malware configurations, allowing bots to retrieve C2 URLs.

However, this tactic was short-lived, as the malware operators soon introduced a third variant. The latest version replaced dead drop accounts with a domain generation algorithm (DGA) to enhance resilience and evade takedowns. The continuous evolution of TgToxic highlights threat actors’ ability to monitor public intelligence reports and adapt their tactics to counter security measures, making detection and mitigation increasingly challenging.

Technical Details

The TgToxic campaign leveraged an open directory on the mta164.bwhite.com website to host its malware samples. While the exact delivery method remains unconfirmed, SMS phishing, deceptive apps, or malicious websites were suspected. Two APK samples were found: "dropper.apk," identified as part of the TiramisuDropper malware family, and "no_dropper.apk," the final TgToxic payload. The dropper acts as a loader, enabling the installation of the updated TgToxic variant.

The latest TgToxic variant introduces notable enhancements, particularly in emulator detection and C2 URL generation. To evade automated analysis, the malware now employs advanced antiemulation techniques. It verifies Android system features, checking for elements typically absent in emulators, such as Bluetooth, sensors, and telephony services. Additionally, it analyzes the device’s CPU architecture, identifying processors like AMD or Intel commonly used in emulated environments. These improvements make TgToxic more resilient against security analysis and detection.

The latest TgToxic variant enhances its anti-emulation techniques by analyzing system properties and identifying emulator-specific indicators. It inspects device attributes like brand, model, manufacturer, and fingerprint values for inconsistencies typical of virtual environments. Additionally, it detects the presence of emulators such as QEMU and Genymotion, generic hardware signatures, test keys, and emulator names like "google_sdk" and "vbox86p." These improvements help the malware evade detection and analysis in controlled environments.

Earlier TgToxic versions relied on hard-coded C2 domains, but the second variant adopted a new approach by using URLs linked to the “luntan6688” username across 25 different forums. The malware retrieves its C2 information by accessing this user’s profile page, where an encrypted string is embedded after the “Just a pretty little girl.__” delimiter. This technique helps the malware operators obscure their infrastructure and evade direct detection.

To generate the C2 URL from a dead-drop location, the malware randomly selects a community forum URL from those embedded in its configuration. It parses the hypertext markup language (HTML) content on the page. To retrieve the encrypted string, the malware splits the page content at the "＿" delimiter and iterates through the resulting segments, identifying and retrieving the encrypted section by searching for the segment that contains the full stop character.

For decryption, TgToxic instances utilize the data encryption standard (DES) algorithm in cipher block chaining (CBC) mode and the PKCS5Padding scheme. Across all observed samples, the string “jp202411” is consistently used as both the encryption key and the initialization vector.

In the specific case illustrated in Figure 4, the C2 derived from the dead drop location is sakiwmk.top, leading the malware to establish a connection to https://ctrl.sakiwmk.top. Once the correct C2 connection is established, malware operators can use the infected device to perpetrate fraud and control it.

Threat actors derive several advantages from using public services to host malware configurations. First, they avoid the costs associated with maintaining their own infrastructure. Second, they exploit the perceived legitimacy of community forums to bypass security measures. Moreover, it is important to note that once a C2 server is deactivated or taken down, the associated malware sample becomes obsolete since it cannot connect to a new server without an updated address. However, by employing the dead drop technique — a strategy that is not new but remains popular among many threat actors — they can update the community user profile to point to a new C2 address. This method considerably extends the operational lifespan of malware samples, keeping them functional as long as the user profiles on these forums remain active.

In December 2024, Intel 471 researchers identified a third variant of TgToxic that replaced dead drop locations with a domain generation algorithm (DGA) to create new C2 domains periodically. This shift enhances the malware’s resilience by making it harder for defenders to track and block communications.

Unlike hard-coded C2 addresses, which are easily detected and taken down, DGA-generated domains provide a continuous supply of new addresses, ensuring uninterrupted operations. TgToxic systematically attempts to connect to these domains, starting with the “.com” TLD, until a successful connection is established. This dynamic approach allows threat actors to maintain control over infected devices even if some domains are deactivated.

Recommendations

• Disable the "Allow from Unknown Sources" option on Android devices to prevent unauthorized APK installations. In corporate settings, restrict app installations to official stores and maintain a preapproved list of apps to reduce risks.

• Utilize Mobile Device Management (MDM) solutions to enforce security policies on corporate smartphones, tablets, and other mobile devices, ensuring better control over app installations and configurations.

• Monitor device traffic using mobile threat defense solutions, as mobile devices often operate outside traditional security perimeters and require additional protection.

• Scrutinize apps requesting excessive permissions, especially those seeking Accessibility services access, which is frequently abused in fraudulent activities.

• Educate employees on recognizing phishing attempts and malicious SMS messages designed to trick users into installing harmful applications. Regular training helps reinforce awareness and prevent security breaches.

Conclusion

The evolution of TgToxic demonstrates its operators' adaptability in response to security measures and public disclosures. The shift from hard-coded C2 domains to dead drop locations and now DGA-based infrastructure reflects a deliberate effort to enhance resilience and evade detection. Additionally, the integration of advanced anti-emulation techniques makes analysis more challenging, reinforcing the malware’s ability to persist in targeted environments. These continuous modifications highlight the threat actors’ commitment to refining their tactics, ensuring the malware remains operational despite ongoing security efforts.