{
	"id": "24839c67-5687-49b0-b742-fd11d3490c3e",
	"created_at": "2026-04-06T00:17:46.172902Z",
	"updated_at": "2026-04-10T13:12:30.034407Z",
	"deleted_at": null,
	"sha1_hash": "13d524e2ce5504957285820d82700d53e6238134",
	"title": "TgToxic Malware’s Automated Framework Targets Southeast Asia Android Users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6392710,
	"plain_text": "TgToxic Malware’s Automated Framework Targets Southeast Asia\r\nAndroid Users\r\nBy Trend Micro ( words)\r\nPublished: 2023-02-03 · Archived: 2026-04-05 21:02:49 UTC\r\nMalware\r\nWe look into an ongoing malware campaign we named TgToxic, targeting Android mobile users in Taiwan,\r\nThailand, and Indonesia since July 2022. The malware steals users’ credentials and assets such as cryptocurrency\r\nfrom digital wallets, as well as money from bank and finance apps. Analyzing the automated features of the\r\nmalware, we found that the threat actor abused legitimate test framework Easyclick to write a Javascript-based\r\nautomation script for functions such as clicks and gestures.\r\nBy: Trend Micro Feb 03, 2023 Read time: 11 min (2868 words)\r\nSave to Folio\r\nWe analyzed an ongoing campaign that has been targeting Android users in Southeast Asia since July 2022. Its\r\ngoal is to steal victims’ assets from finance and banking applications (such as cryptocurrency wallets, credentials\r\nfor official bank apps on mobile, and money in deposit), via a banking trojan we named TgToxic (detected by\r\nTrend Micro as AndroidOS_TgToxic based on its special encrypted filename) embedded in multiple fake apps.\r\nWhile previously targeting users in Taiwan, we observed the fraudulent activities and phishing lures targeting\r\nusers from Thailand and Indonesia as of this writing. Users are advised to be wary of opening embedded links\r\nfrom unknown email and message senders, and to avoid downloading apps from third party platforms.\r\nTracking: Timeline via Network Infrastructure\r\nWe have been monitoring this campaign since the second half of 2022 due to its moving deployment and\r\ntargeting. Here’s a brief summary of the campaign’s timeline, and the subsequent sections go over some of the\r\ndetails involved:\r\nJuly 2022: Fraudulent posts appeared on Facebook with an embedded phishing link targeting Taiwanese\r\nusers on the social media platform via social engineering\r\nLate August-October 2022: Sextortion scams also target Taiwanese and Indonesian users, enticing them to\r\nregister in order for the malicious actors to steal their credentials\r\nNovember 2022-January 2023: Smishing links target Thai users. Some phishing websites used during this\r\nperiod also show the threat actors further expanding their activities to Indonesia with a cryptocurrency\r\nscam.\r\nEarly Activities: Fraud Via Facebook\r\nhttps://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nPage 1 of 18\n\nIn July 2022, we found two potentially hacked Facebook accounts advertising scam messages on some Taiwanese\r\ncommunity groups claiming users could get an allowance for hurricane, flood, and COVID victims’ assistance.\r\nThe posts cited that users could register in download.tw1988[.]link to apply, which is in fact a phishing site.\r\nUnwitting users could have been victimized as the link masqueraded as the official government website\r\nhttps://1988.taiwan.gov.tw/ used to provide allowances for people in difficult situations.\r\nFigure 1. A sample scam post posted on Facebook. Text translates to \"28,000 benefits are being\r\ndistributed in summer, now enter https[:]//st7[.]fun/20 to receive your epidemic hurricane labor\r\nsubsidy, commissioner: fa00577 (first image from top) /fa00599” (middle image). The app also\r\ndisplays options for where the potential victims’ employment categories fit: “Living allowance for\r\nfarmers and fishermen”, “Self-employed workers and labor living allowances without a fixed\r\nemployer\", and \"Tour bus, taxi driving, tour guide, tour leader and other subsidies” are just some\r\nthat were identified (third image)\r\nSupplementary Scams: Sextortion and Cryptocurrency\r\nTracking the network infrastructure used by TgToxic, we subsequently found the threat actors also behind\r\nsextortion and cryptocurrency scams in Taiwan and Indonesia. The malicious apps could also be downloaded from\r\nhttps://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nPage 2 of 18\n\nthe same website down[.]tw1988[.]link and masqueraded as dating, messaging, lifestyle, or cryptocurrency-related apps to trick users into installing and enabling the permissions for it.\r\nFigure 2. The fake apps launch the registration page as soon as it is downloaded to induce users, and\r\nmalware TgToxic starts operating in the background\r\nhttps://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nPage 3 of 18\n\nFigure 3. Fake apps lured potential victims into sextortion and cryptocurrency scam phishing\r\nwebsites in Indonesia\r\nRecent Activities: Phishing in Thailand\r\nAs we continued monitoring TgToxic malware and its network infrastructure, we found that in some weeks toward\r\nthe end of 2022 to early January 2023, the cybercriminals behind the campaign began targeting Thai users with\r\nhttps://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nPage 4 of 18\n\nsimilar sextortion and phishing lures observed targeting Taiwanese users, and the group started to add malicious\r\ncode to steal credentials from bank applications. We also found both schemes already raising attention in the local\r\nmedia and were reported on Facebook among popular communities.\r\nFigure 4. Locally popular Thai social media accounts discussing the phishing schemes using fake\r\nversions of popular chat and dating apps (left), and a conversation with one victim who also\r\nconfirmed the malware was delivered via smishing (right)\r\nThe phishing, sextortion, and cryptocurrency scams connect to the latest deployment samples of TgToxic malware\r\nas they all download from the same website, down[.]tw1988[.]link. Observing the communications to and from\r\nthe command and control (C\u0026C) servers, the C\u0026C for these apps and malware changed from api[.]tw1988[.]link\r\nto test[.]ja7[.]site, and later to us[.]ja7[.]site corresponding the change of targeting from Taiwan to Thailand.\r\nTechnical Analysis of TgToxic\r\nWe analyzed that the malware TgToxic was developed based on a legitimate automation test framework called\r\nEasyclick, which supports writing automation script via JavaScript. This script can be used to hijack an Android\r\ndevice’s user interface (UI) automatically to automate functions such as monitoring of user input and performing\r\nclicks and gestures.\r\nWith the said framework, TgToxic can develop its own automation script to hijack cryptocurrency wallets and\r\nbank apps by stealing the user’s credentials as the victim places their username and password. Once the\r\ncredentials are acquired, the cybercriminals can make small transactions using the official app without needing the\r\nhttps://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nPage 5 of 18\n\nuser’s approval or acknowledgement. Like other banking malware, TgToxic can also steal users' personal\r\ninformation via SMS and installed apps, which can be used to select targeted victims by further scanning if the\r\ndevice stores apps the threat actors are interested in abusing.\r\nCurrently, TgToxic is still rapidly evolving and continues to add new functions, copying more apps to steal\r\ncredentials and adapt to different app UIs, and collecting more information from victims. For this analysis, we\r\ntook the latest sample that targeted mobile users in Thailand to analyze.\r\nCode obfuscation and payload encryption\r\nTgToxic malware uses two methods to evade detection and analysis, and we divide this into two parts:\r\n1. Code Obfuscation: TgToxic obfuscates the classes’ names, method name, and fields name, which make it\r\nharder for some analysts to reverse engineer.\r\n2. Payload Encryption: TgToxic puts the Easyclick script in an asset file named “tg.iapk”, which is an\r\nencrypted Zip file, and will dynamically read content from it when the app launches. The malware\r\nimplements a fileless way to decrypt and load the payload, and adds an additional logic after unzipping.\r\nFigure 5. APK structure and the payload\r\nhttps://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nPage 6 of 18\n\nDecrypt payload and abuse Accessibility service to hijack a device UI\r\nFigure 6. Encryption process of tg.iapk\r\nAs noted by the researchers of McAiden, tg.iapk is an encrypted .zip file. Through static analysis, we found that\r\nthe decompression password is specially encoded and stored in the .zip comment section, which is usually used to\r\nrecord the .zip description. The content of this section will not affect the compressed content. To acquire the\r\npassword for the .zip file, the contents of the comment section are decoded as specified in the code.\r\nhttps://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nPage 7 of 18\n\nFigure 7. Zip passwords decode function\r\nAfter decompression, we found that all files were binary files, and the first four bytes of all the files are\r\n“0x00092383”, which are specially encrypted files. Through reverse analysis, we located the decryption function.\r\nTo hide the decryption details, key classes and key methods are invoked using reflection, and related symbol\r\nnames are encrypted.\r\nFigure 8. Special encrypted file\r\nhttps://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nPage 8 of 18\n\nFigure 9. Encrypted file decryption function\r\nBy analyzing the decryption function, we get the format of the encrypted file. Encrypted files encoded the\r\npassword and saved it at the beginning of the file (following the magic number) while saving the encrypted data at\r\nthe end of the file. The password is decoded in the same way as the zip password is decoded. \r\nhttps://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nPage 9 of 18\n\nFigure 10. Special encrypted file format\r\nPrecompiled script running in runtime engine\r\nThe automation script is precompiled to Java and using the runtime of Rhino, an open source engine to run\r\nJavaScript in Java. Each switch branch in a call function is a JavaScript function, and we explain how the code\r\nruns with a simple function from the malware.\r\nFigure 11. Java bytecode compiled from one Javascript function\r\nhttps://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nPage 10 of 18\n\nThis function is used to collect the device information and send to the C\u0026C server. It first iterates over a\r\npredefined variable “walletListAry”, which contains a list of package names of a cryptocurrency wallet that the\r\nthreat actor is interested in. Then the malware calls “isAppExist” to check whether the app is in the system. If\r\nconfirmed, the package name will be pushed into an array.\r\nThe malware then checks the email applications in the same way and creates a .json object that includes the\r\ninformation it collects. The “apps” field contains package names of installed cryptocurrency wallets, and the\r\n“mails” field contains package names of installed email apps. Finally, it calls “JSON.stringify” to serialize the\r\n.json object into a string and calls “emitEnc” to send the information to the C\u0026C server over WebSocket.\r\nC\u0026C communication and data exfiltration\r\nThe malware uses WebSocket as a C\u0026C channel where the script executes. It will call “StartWs” to connect to the\r\nWebSocket server, then set “new_msg” event listener to receive and parse C\u0026C commands. The full C\u0026C\r\ncommand list used is listed as follows:\r\nTable 1. Full list of commands and their respective functions\r\nCommand Command description/function\r\nstartCam Opens camera\r\nsetCam Takes a photo\r\nstopCam Closes camera\r\nreadContactList Reads all contact\r\nreadAlbumList Reads all album file names\r\nreadAlbumThumbnail Reads all album thumbnails\r\nreadSmsList Reads all SMS\r\nshowShortcuts Adds icon on home screen\r\ncallAcc Checks if Android Accessibility service is enabled\r\ncallAppSetting Opens app settings\r\nopenIntent Opens floating tool bar\r\nbackstage Checks backstage service\r\nrequestfloaty Applies for floating window permission\r\npermission Requests all permissions\r\npermissionB Auto approves permissions\r\nreqAutoBoot Auto restarts the device\r\nhttps://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nPage 11 of 18\n\nreqFloaty  Auto approves float window permission\r\nreqScreenPermission Requests screen capture permission\r\nreqPerList N/A\r\nupdateApk Installs apk\r\ninstallApk Downloads and installs apk\r\nupdate  Updates Easyclick scripts\r\npower N/A\r\ncapture Captures screenshot\r\nscreen_relay Sets properties of screenshot\r\ncapturePic  Enables capture screenshot\r\nhome Clicks home button via accessibility service \r\nback Clicks back button via accessibility service\r\nrecent Clicks recent button via accessibility service\r\nrestartSc Restarts easyclick script service\r\nrestartMe Restarts app itself\r\nawake Keeps device awake\r\ncancelAwake Stops device from waking\r\nwakeup Keeps screen on\r\ncancelWakeup Keeps screen dim\r\nsetWakeup Sets timer task to wakeup\r\nswipePwdScreenOn Forces use of pwd mode\r\nswipePwdScreenOff Disables forced use of pwd mode\r\ncatAllViewSwitch N/A\r\nreOpenMe Reopens app itself\r\nsetDebugOn Enables debug mode\r\nsetDebugOff Disables debug mode\r\nantiDeleteOn Enables anti-delete\r\nhttps://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nPage 12 of 18\n\nantiDeleteOff Disables anti-delete\r\nlockScreen Locks screen\r\ncloseEnv Sets accessibility status flag to false\r\nblackB N/A\r\nblack Sets black overlay view\r\nlight Removes black overlay view\r\ninputSend  Captures input text\r\ntouchDown Swipes down\r\ntouchMove Swipes move\r\ntouchUp Swipes up\r\nrightClick  Clicks back button\r\nclickInput  Clicks input box\r\ngestureUnlock Performs swipe up to unlock\r\ngestureB Performs a set of gestures\r\nclickPoint Performs click point\r\nclickB Performs click in a bound\r\nclear Excludes the pkg from recently used apps’ history\r\nwallpaper N/A\r\ngoogleAuth Steals Google auth 2FA code via Accessibility service and upload\r\nemailList Uploads installed email application list\r\nemail Steals emails’ full messages and upload\r\nwalletList  Uploads installed wallet applications’ list\r\nfetchIcon Fetches wallet apps icon\r\nwalletSend  Auto transfers balance via Accessibility service\r\nAnother detail worth noting is that TgToxic will connect to different C\u0026C servers depending on the infected\r\ndevice’s locale. While we continue tracking and have yet to find TgToxic activity in other regions or countries\r\noutside of the three we have identified so far, we believe that the malicious actors behind this deployment is trying\r\nto expand its activities to other countries based on the availability of these different servers.\r\nhttps://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nPage 13 of 18\n\nFigure 12. Get C\u0026C host prefix depending on the device locale\r\nThe data is exfiltrated through the C\u0026C channel. Taking SMS exfiltration as an example, the malware first calls\r\n“getSmsInPhone” to extract all SMS from the message inbox, then uploads the stolen data to the server via the\r\nWebSocket C\u0026C channel.\r\nFigure 13. Extracting all text messages\r\nAutomatic permission grants and uninstallation prevention\r\nTgToxic can hijack the system app to automatically grant itself permissions, as well as prevent uninstallation\r\nwhen the victim tries to uninstall the malware. Below is a list of system apps that the malware tries to hijack and\r\nits corresponding purposes:\r\nTable 2. List of system apps the malware attempts to take control of\r\nSystem app Process TgToxic hijacked function\r\nAndroid System\r\nApp\r\ncom.google.android.apps.authenticator\r\ncom.google.android.apps.authenticator2\r\nSteal two-factor authentication (2FA) code\r\ncom.android.settings\r\nAutomatic permission grants and\r\nuninstallation prevention\r\ncom.android.systemui Steal lock screen pin code\r\nhttps://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nPage 14 of 18\n\nSecurity App\r\ncom.color.safecenter\r\ncom.iqoo.secure\r\ncom.lbe.security.miui\r\ncom.miui.securitycenter\r\ncom.meizu.safe.security\r\ncom.transsion.phonemaster\r\nDisable security apps to evade detection\r\nControl financial apps for automatic transfers\r\nTgToxic implements automatic transfer service (ATS) to transfer money to the threat actors without the users\r\nknowing. The malware starts with secretly stealing passwords and unlocking gestures. When it detects the user\r\nhaving a wallet app, the malware will check for the specific activity and record via key logging if the user will\r\ninput the password. It can also take screenshots if the user does a gesture to unlock the device.\r\nOnce it receives a “walletSend” command from the C\u0026C server, the malware will put a full black screen overlay\r\nto prevent the victim from becoming aware of the malicious activities and transfers. It then opens the wallet\r\napplication and collects the details such as chain type and balance. TgToxic will then simulate user clicks for\r\ntransfers to specific recipients across all chain types through the Accessibility service:\r\n1. Check if chain type is “usdt” and enter wallet details\r\n2. Click the transfer button\r\n3. Input receiver address\r\n4. Input transfer money\r\n5. Enter transfer detail page\r\n6. Input password\r\n7. Click the “Confirm” button\r\nFigure 14. Checking for chain type and entering the wallet details\r\nFigure 15. Typing in the stolen address information and the recipient’s address\r\nhttps://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nPage 15 of 18\n\nFigure 16. Typing in the wallet’s password and confirming the transaction\r\nTargeted applications\r\nHere is a list of apps that the malware extracted victims’ information from, as studied from the latest samples\r\ntargeting Thailand:\r\nTable 3. List of apps the malware takes information from once an Android device is infected\r\nType Package names Function\r\nBank applications  \r\nSteal users’ credentials from Thai\r\nbanking apps\r\nCryptocurrency wallet\r\napplications com.binance.dev\r\ncom.bitfinex.mobileapp\r\ncom.bitmex.app.android\r\ncom.bitpay.wallet\r\ncom.bitpie\r\ncom.bixin.wallet.mainnet\r\ncom.blockfolio.blockfolio\r\ncom.btckorea.bithumb\r\ncom.coinbase.android\r\ncom.coinhub.wallet\r\ncom.ftxmobile.ftx\r\ncom.gateio.gateio\r\ncom.github.ontio.onto\r\ncom.hashkey.me.google\r\ncom.hittechsexpertlimited.hitbtc\r\ncom.hoo.qianbao\r\ncom.huobionchainwallet.gp\r\ncom.kubi.kucoin\r\ncom.ledger.live\r\ncom.legendwd.hyperpayW\r\ncom.mathwallet.android\r\ncom.medishares.android\r\nSteal credentials and automate\r\ntransfer of money\r\nhttps://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nPage 16 of 18\n\ncom.mexcpro.client\r\ncom.myetherwallet.mewwallet\r\ncom.okinc.okcoin.intl\r\ncom.okinc.okex.gp\r\ncom.wemadetree.wemixwallet\r\nhuolongluo.byw\r\nim.token.app\r\nio.metamask\r\norg.liberty.jaxx\r\norg.toshi\r\npiuk.blockchain.android\r\npro.huobi\r\nvip.mytokenpocket\r\nwannabit.io.cosmostaion\r\ncom.wallet.crypto.trustapp\r\ncom.vaulthotpro\r\nEmail applications\r\ncom.acompli.acompli\r\ncom.microsoft.office.outlook\r\ncom.netease.mail\r\ncom.tencent.androidqqmail\r\ncom.yahoo.mobile.client.android.mail\r\ncom.yahoo.apps.yahooapp\r\ncom.google.android.gm\r\nSteal email accounts and message\r\ncontent\r\nConclusion\r\nDespite having different deployment periods, we found the social media phishing campaigns and network\r\ninfrastructure targeting Taiwan, Indonesia, and Thailand similar. When the victim downloads the fake app from\r\nthe website given by the threat actor, or if victim tries to send a direct message to the threat actor through\r\nmessaging apps such as WhatsApp or Viber, the cybercriminal deceives the user into registering, installing the\r\nmalware, and enabling the permissions it needs. Once granted, the phone is automatically controlled by the\r\nmalicious actors, and the legitimate apps and their respective assets in the device become at risk.\r\nLooking at the analysis, the malware in itself is not sophisticated but interesting. The abuse of legitimate\r\nautomation frameworks like Easyclick and Autojs can make it easier to develop sophisticated malware, especially\r\nfor Android banking trojans that can abuse Accessibility services. The complexity of the frameworks also makes it\r\ndifficult to reverse engineer for analysis. It is highly likely that due to the framework’s convenience and anti-reverse engineering features, more threat actors can take advantage and use this method in the future.\r\nLooking at the malicious actors, we determined that the group or individual responsible for this campaign is new\r\nat this, but relatively informed with the ongoings in the region and targets as there are components reflecting the\r\nhttps://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nPage 17 of 18\n\nfamiliar use of traditional and simplified Chinese. One interesting detail we observed is that there are a lot of\r\nscams abusing the themes of allowance assistance distribution in Taiwan in August 2022. While the official\r\nagency had and continuously warned the public about these scams, mainstream news coverage was not as widely\r\ndistributed and did not offer details that we could use for our investigation.\r\nWhile we also have an insight on deployments and attempts to victimize, there is little information on the actual\r\nnumber of victims on the ground. The growing threat intelligence and capability of devices at detecting these\r\nkinds of threats have improved, coupled with users’ grown awareness of the fact that they can avoid threats like\r\nthese (i.e., by not downloading from unofficial platforms), and make it easier to prevent these types of malware\r\ninfections. As additional precautions to avoid becoming a victim of these kinds of threats, here are some signs of\r\ninfections to watch for and best practices:\r\nAvoid installing apps from unknown sources and platforms. Do not click on apps, installers, websites\r\ndirectly embedded in SMS or emails, especially from unknown senders.\r\nDo not enable sensitive permissions such as Accessibility services from and for enabling and/or download\r\nof unknown apps.\r\nFor signs of malware infection, battery drain of devices despite the user’s non-usage is a red flag of\r\npotential malware infection.\r\nTrend Micro solutions\r\nTrend Micro Mobile Security Solutionsopen on a new tab can scan mobile devices in real time and on demand to\r\ndetect malicious apps, sites, or malware to block or delete them. These solutions are available on Android and\r\niOS, and can protect users’ devices and help them minimize the threats brought by fraudulent applications and\r\nwebsites such as TgToxic.\r\nIndicators of compromise (IOCs)\r\nFor a full list of the IOCs, find the list hereopen on a new tab.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nhttps://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html"
	],
	"report_names": [
		"tgtoxic-malware-targets-southeast-asia-android-users.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434666,
	"ts_updated_at": 1775826750,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/13d524e2ce5504957285820d82700d53e6238134.pdf",
		"text": "https://archive.orkl.eu/13d524e2ce5504957285820d82700d53e6238134.txt",
		"img": "https://archive.orkl.eu/13d524e2ce5504957285820d82700d53e6238134.jpg"
	}
}