Encryption process of tg.iapk
Cybersecurity researchers have uncovered an updated version of the Android malware TgToxic, also known as ToxicPanda. Experts note that the cybercriminals behind this Trojan continuously modify its code, swiftly adapting in response to security researchers’ findings.
According to Intel 471, the alterations in TgToxic’s code indicate that its developers actively monitor open-source intelligence and are persistently enhancing its functionality to circumvent security measures and hinder forensic analysis.
Initially described by Trend Micro in early 2023, TgToxic was classified as a banking Trojan capable of stealing credentials and siphoning funds from cryptocurrency wallets, banking apps, and financial services. Since July 2022, it has been actively targeting mobile users in Taiwan, Thailand, and Indonesia.
In November 2024, the Italian cybersecurity firm Cleafy identified an upgraded version of the Trojan with expanded data-harvesting capabilities. The attack’s geographical scope has also widened, now posing a threat to users in Italy, Portugal, Hong Kong, Spain, and Peru. Analysts attribute TgToxic’s operations to a Chinese-speaking threat group.
Intel 471’s latest analysis suggests that the malware is distributed through APK files, likely via SMS phishing (smishing) campaigns or malicious websites. However, the exact delivery mechanism remains undisclosed. Among the most significant enhancements are improved emulator detection techniques and an upgraded URL-generation algorithm for command-and-control (C2) servers, allowing the Trojan to evade detection and forensic scrutiny.
One of the most notable shifts in its infrastructure is the transition from hardcoded C2 domains to leveraging public forums, such as the Atlassian developer community. Cybercriminals create fraudulent user profiles containing encrypted strings, which serve as pointers to actual C2 servers.
This approach enables attackers to seamlessly swap out C2 infrastructure simply by updating forum profiles, significantly extending the malware’s operational lifespan. In December 2024, researchers identified new TgToxic variants incorporating a Domain Generation Algorithm (DGA), further enhancing its resilience against takedown efforts.
According to Ted Miracco, CEO of Approov, TgToxic stands apart from other Android Trojans due to its advanced anti-analysis mechanisms, which include code obfuscation, encryption, and anti-emulation techniques. Its dynamic C2 strategies and automated processes enable stealthy data exfiltration and unauthorized financial transactions with remarkable sophistication.
