Researchers have identified an updated version of the Android malware TgToxic, which has evolved since its initial discovery in 2023. This banking trojan is increasingly sophisticated, capable of stealing data from finance apps and crypto wallets while expanding its geographical reach to include various countries beyond its original targets in Asia. New features suggest a heightened awareness of countermeasures by its operators, particularly enhanced emulator detection to avoid analysis by cybersecurity experts. The malware's delivery methods remain variable, primarily using dropper APKs via SMS or phishing schemes.
The modifications seen in the TgToxic payloads reflect the actors' ongoing surveillance of open source intelligence and demonstrate their commitment to enhancing the malware's capabilities.
The malware conducts a thorough evaluation of the device's hardware and system capabilities to detect emulation, examining brand, model, manufacturer and fingerprint values.
Delta variants of TgToxic have improved emulator detection capabilities and updates to the command-and-control (C2) URL generation mechanism to sidestep analysis.
TgToxic is a banking trojan capable of stealing credentials and funds from crypto wallets and finance apps, posing a significant threat to mobile users.
Collection
[
|
...
]