Cybersecurity researchers have discovered an updated version of malicious Android software called Tgtoxic .
“Modification observed in Tgtoxic Useful Load – Note In a report published this week.
Tgtoxic was First documented According to the Micro trend in the early 2023, describing it as a banking trojan, capable of stealing powers and means from the crystals, as well as banking and financial applications. It has been discovered in the wild at least from July 2022, mainly focusing on mobile users in Taiwan, Thailand and Indonesia.
Then, in November 2024, a firm on the prevention of Italian Internet Mastering Cleafy minute The updated option with extensive data collection features while expanding its operational sphere, including Italy, Portugal, Hong Kong, Spain and Peru. Malicious software is evaluated as the work of a Chinese threatening actor.
The latest Intel 471 analysis revealed that malicious software is distributed through APK dropper files, probably through SMS -messages or phishing -sight. However, the exact delivery mechanism remains unknown.
Some of the notable improvements include advanced emulators and updating the mechanism of generating and control generation (C2), emphasizing constant efforts for analysis.
“The malicious software conducts a thorough evaluation of the equipment and systems of the device to detect emulation,” said Intel 471. “The malicious software examines a set of devices, including brand, model, manufacturers and fingerprint values to detect inconsistencies characteristic of emulated systems.”
Another significant change is the transition from domains with the C2 firm code built into malware configuration, to the use of forums such as the Atlassian Community developer forum, to create fictitious profiles that include an encrypted string indicating the C2 actual server.
TGTOXIC APK is designed for random selection one of the URL -url community forum that is provided in a configuration that serves as A like a Detolish Dead Drop For the C2 domain.
The technique offers several advantages, the main thing is that this facilitates the threats to change the C2 server, simply updating the community user profile to point to the new C2 domain without releasing any malicious software.
“This method greatly expands the life of malware samples, supporting them functional as long as user profiles in these forums remain active,” Intel 471 said.
The following TGTOXIC iterations, detected in December 2024, take a step further, based on the domain generation algorithm (DGA) to create new domain names for use as C2 servers. This makes malicious software more resistant to breakdowns, as DGA can be used to create multiple domain names, allowing attackers to move to a new domain, even if some are shot.
“TGTOXIC stands out as a very sophisticated Trojan Android Banking due to advanced anti-narlysis methods, including embarrassment, encryption of useful load and anti-emulation mechanisms that eliminate security tools,” the TED Mirac director said.
“Using dynamic team strategies and control (C2), such as domain algorithms (DGA), as well as automation capabilities allow it to steal user interfaces, steal credentials and perform unauthorized transactions with sustainability and counterbalance.”
