{
	"id": "c6f867b9-bc22-44c5-a39f-c46bc9b40b2f",
	"created_at": "2026-04-06T00:07:29.744519Z",
	"updated_at": "2026-04-10T03:20:03.111724Z",
	"deleted_at": null,
	"sha1_hash": "398ea876f914362ed0537c3b4a38fc8a03a7514a",
	"title": "Android trojan TgToxic updates its capabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1399958,
	"plain_text": "Android trojan TgToxic updates its capabilities\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 23:35:50 UTC\r\nTgToxic is an Android banking trojan discovered by Trend Micro in July 2022. It’s designed to steal user\r\ncredentials, cryptocurrency from digital wallets and funds from banking and finance apps. It initially was observed\r\ntargeting mobile users in Southeast Asia through social-engineering campaigns, distributing malware samples via\r\nphishing sites and deceptive applications that mimic legitimate services such as government assistance websites.\r\nAdditionally, malware was promoted through compromised social media accounts and third-party platforms, often\r\nunder the guise of dating, messaging or financial applications.\r\nIn October 2024, researchers with online fraud management software provider Cleafy published an article about a\r\nnew version of TgToxic malware, which they called the ToxicPanda strain. Their analysis revealed this version\r\nstill was under development, evident from several unimplemented commands and a general reduction in technical\r\nsophistication compared to its predecessor. Additionally, the report pointed to suspected plans by the malware\r\noperators to expand their geographical reach. This expansion is evidenced by the inclusion of European and Latin\r\nAmerican banks in the list of targeted applications, indicating a potential broadening of their operational focus to\r\nencompass additional regions. \r\nOn Nov. 22, 2024, Intel 471 mobile malware researchers observed a campaign leveraging an updated version of\r\nTgToxic. We believe these updates could be a direct response to the detailed blog post published by Cleafy which\r\nexposed the functionality of the newer TgToxic version. This new version of the trojan abused 25 community\r\nforums to host encrypted malware configurations. The actors created user accounts on these forums and embedded\r\nspecific encrypted strings within the user profiles, serving as dead drop locations from which malware bots could\r\nretrieve the final command-and-control (C2) URL.\r\nHowever, this second version was only in use for a few weeks before being replaced by a third variant, which is\r\nstill being leveraged by the threat actors at the time of this report. The actors once again changed the way the\r\nmalware obtains the C2 URL, from a dead drop location to a domain generation algorithm (DGA). This shift may\r\nhave been triggered by the reporting and subsequent removal of the dead drop accounts from various forums.\r\nThe modifications seen in the TgToxic payloads reflect the actors’ ongoing surveillance of open source\r\nintelligence and demonstrate their commitment to enhancing the malware’s capabilities to improve security\r\nmeasures and keep researchers at bay. This blog post will discuss specifics of the campaign and the malware\r\nupdates.\r\nThe campaign\r\nThe samples associated with the campaign were hosted on the open directory at the mta164.bwhite.com website.\r\nWe suspect these samples may have been delivered through short message service (SMS) texts, phishing websites\r\nhttps://intel471.com/blog/android-trojan-tgtoxic-updates-its-capabilities\r\nPage 1 of 7\n\nor deceptive applications; however, we currently lack direct evidence confirming the specific methods used for\r\ntheir delivery.\r\nThis image depicts the open directory that hosted both the dropper and main payload involved in the campaign\r\nNov. 26, 2024.\r\nTwo Android application package (APK) samples are within the open directory. The sample labeled “dropper.apk”\r\nis part of the TiramisuDropper malware family, functioning as a loader to facilitate the installation of the final\r\n“no_dropper.apk” payload. In this case, the final payload is an updated version of TgToxic.\r\nVersion updates\r\nAnalysis of the latest version of the malware revealed several changes, including improved emulator detection\r\ncapabilities and updates to the C2 URL generation mechanism, as detailed below. \r\nImproved emulator detection capabilities. The latest samples of TgToxic were enhanced with multiple anti-emulation techniques to circumvent automated analysis systems. These techniques incorporate a multifaceted\r\napproach to system verification. Key methods include:\r\nAndroid system features check and hardware fingerprinting. The malware conducts a thorough evaluation of\r\nthe device’s hardware and system capabilities to detect emulation. It assesses crucial Android system features\r\ntypically absent in emulators, such as Bluetooth capabilities, sensor availability and telephony services. The\r\nmalware concurrently scrutinizes the central processing unit (CPU) architecture to determine whether it is running\r\non processors commonly supported by emulators, such as AMD or Intel processors.\r\nhttps://intel471.com/blog/android-trojan-tgtoxic-updates-its-capabilities\r\nPage 2 of 7\n\nThe image depicts the emulator detection routine through hardware fingerprinting in the new TgToxic versions\r\nNov. 26, 2024.\r\nSystem property analysis and emulator-specific indicators. The malware examines a set of device properties\r\nincluding brand, model, manufacturer and fingerprint values to identify discrepancies that are typical of emulated\r\nsystems. It simultaneously searches for direct indicators of emulation, such as the presence of Quick Emulator\r\n(QEMU), an open source emulator and virtualization software used for running various operating systems on\r\ndifferent processor architectures, and Genymotion, a specialized Android emulator that simulates Android devices\r\nfor development and testing. It also detects generic hardware signatures, test keys and emulator names such as the\r\n\"google_sdk\" or \"vbox86p\" products. \r\nThe image depicts the emulator detection routine through device build properties in the new TgToxic versions\r\nNov. 26, 2024.\r\nUpdates from hard-coded C2 to dead drop locations\r\nhttps://intel471.com/blog/android-trojan-tgtoxic-updates-its-capabilities\r\nPage 3 of 7\n\nPrevious versions of TgToxic featured hard-coded C2 domains and subdomains in the malware configuration.\r\nHowever, the second variant has shifted to using a set of URLs that direct to the specific “luntan6688” username\r\non forums hosted by 25 different companies. Visiting the profile page of this user on any of the listed forums\r\nreveals the actors included an encrypted string following the “Just a pretty little girl.__” delimiter.\r\nThe image depicts the luntan6688 user profile on the Atlassian community developer forum Nov. 26, 2024.\r\nTo generate the C2 URL from a dead drop location, the malware randomly selects a community forum URL from\r\nthose embedded in its configuration, then parses the hypertext markup language (HTML) content on the page. To\r\nretrieve the encrypted string, the malware splits the page content at the \"＿\" delimiter and iterates through the\r\nresulting segments, identifying and retrieving the encrypted section by searching for the segment that contains the\r\nfull stop character. \r\nFor decryption, TgToxic instances utilize the data encryption standard (DES) algorithm in cipher block chaining\r\n(CBC) mode and the PKCS5Padding scheme. Across all observed samples, the string “jp202411” consistently is\r\nused as both the encryption key and the initialization vector.\r\nIn the specific case illustrated in Figure 4, the C2 derived from the dead drop location is sakiwmk.top, leading the\r\nmalware to establish connection to https://ctrl.sakiwmk.top. Once the correct C2 connection is established,\r\nmalware operators can use the infected device to perpetrate fraud and control it.\r\nhttps://intel471.com/blog/android-trojan-tgtoxic-updates-its-capabilities\r\nPage 4 of 7\n\nThreat actors derive several advantages from using public services to host malware configurations. First, they\r\navoid the costs associated with maintaining their own infrastructure. Second, they exploit the perceived legitimacy\r\nof community forums to bypass security measures. Moreover, it is important to note that once a C2 server is\r\ndeactivated or taken down, the associated malware sample becomes obsolete since it cannot connect to a new\r\nserver without an updated address. However, by employing the dead drop technique — a strategy that is not new\r\nbut remains popular among many threat actors — they simply can update the community user profile to point to a\r\nnew C2 address. This method considerably extends the operational lifespan of malware samples, keeping them\r\nfunctional as long as the user profiles on these forums remain active.\r\nSwitch to DGA\r\nStarting from the beginning of December 2024, Intel 471 mobile malware researchers identified a third variant of\r\nTgToxic using a DGA to periodically generate new domain names used as C2 servers. Some of the top-level\r\ndomains (TLDs) are in the figure below.\r\nThe image depicts the TLDs included in the malware configuration Feb. 14, 2025.\r\nThe reason for this further change lies in the several advantages of using a DGA. Unlike hard-coded C2 server\r\naddresses, which can be easily identified and blocked by security systems, DGAs dynamically generate multiple\r\ndomain names, making it harder for defenders to track and disrupt communications. This technique increases the\r\nresilience of the malware, as even if some domains are taken down, malware operators can quickly switch to new\r\nones. In fact, TgToxic instances try to connect sequentially to each domain starting from the “.com” TLD until it\r\ncan establish a connection to one of the generated domains. \r\nAssessment \r\nThe recent updates to the TgToxic malware are noteworthy, highlighting both continuous improvement and a\r\ndeliberate expansion of its operational scope by its operators. This effort to broaden the malware’s reach suggests\r\na calculated attempt to engage new markets and demographic groups beyond its original targets in Southeast Asia. \r\nMoreover, it is crucial to recognize the actors behind TgToxic actively monitor open source intelligence and adjust\r\ntheir strategies accordingly. This ongoing surveillance of the cybersecurity landscape enables them to make timely\r\ndecisions and modify their tactics to circumvent new security defenses effectively. This proactive stance poses\r\nhttps://intel471.com/blog/android-trojan-tgtoxic-updates-its-capabilities\r\nPage 5 of 7\n\nsignificant challenges for defense strategies and underscores the need for dynamic, adaptive cybersecurity\r\nmeasures to counter these evolving threats effectively. \r\nRecommendations \r\nPrevention strategies\r\nRestrict app installations: Disable the settings option \"Allow from Unknown Sources\" on Android devices to\r\nprevent installation of APKs from unauthorized sources. In corporate environments, only install APKs from\r\nofficial app stores and further restrict this to a list of preapproved apps to minimize risks. \r\nLeverage mobile device management: Consider deploying mobile device management (MDM) software to\r\nenhance corporate security on smartphones, tablets and other portable devices used within an organization. \r\nUse mobile threat defense: Deploy a mobile threat defense software to monitor and manage traffic directly on\r\ndevices. This is crucial, since portable devices often escape the security controls of traditional local networks.\r\nMonitor permissions requests: Be vigilant of apps that request excessive permissions. Pay special attention to\r\nany app requesting “Accessibility services permission,” since this frequently is exploited in fraud-oriented\r\napplications.\r\nDeploy indicators of compromise: Consider deploying the indicators of compromise (IoCs) available in Titan for\r\ntimely detection of potential threats. \r\nPerform regular cybersecurity training: Provide ongoing cybersecurity training for all staff members.\r\nEmphasize the importance of recognizing phishing and malicious SMS messages prompting users to install\r\napplications.\r\nMITRE ATT\u0026CK techniques\r\nhttps://intel471.com/blog/android-trojan-tgtoxic-updates-its-capabilities\r\nPage 6 of 7\n\nThis report comes from Intel 471’s Malware Intelligence team, which tracks and collects indicators and artifacts\r\nfrom more than 300 malware families and more than 60 mobile malware families. Malware Intelligence provides\r\nnear-real time proactive insights into malware and related threat actor activity using the Technical Research \u0026\r\nAnalysis Platform (TRAP), our automated framework for tracking and monitoring malware. TRAP is further\r\nenhanced with near-real time surveillance of malware activity at the C2 level, providing deep insights and context\r\ninto malware operations using our unique and patented Malware Emulation and Tracking System (METS). METS\r\ndelivers near real-time insights and deep context in support of numerous cybersecurity and intelligence use cases.\r\nFor more information, please contact Intel 471.\r\nSource: https://intel471.com/blog/android-trojan-tgtoxic-updates-its-capabilities\r\nhttps://intel471.com/blog/android-trojan-tgtoxic-updates-its-capabilities\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://intel471.com/blog/android-trojan-tgtoxic-updates-its-capabilities"
	],
	"report_names": [
		"android-trojan-tgtoxic-updates-its-capabilities"
	],
	"threat_actors": [],
	"ts_created_at": 1775434049,
	"ts_updated_at": 1775791203,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/398ea876f914362ed0537c3b4a38fc8a03a7514a.pdf",
		"text": "https://archive.orkl.eu/398ea876f914362ed0537c3b4a38fc8a03a7514a.txt",
		"img": "https://archive.orkl.eu/398ea876f914362ed0537c3b4a38fc8a03a7514a.jpg"
	}
}