Ref# AL2025_16 | Date: Mar 6th 2025

---

Description

TgToxic (also known as ToxicPanda) is a sophisticated Android banking trojan that continues to evolve with advanced anti-analysis capabilities. Initially documented by Trend Micro in 2023, the malware has expanded its reach beyond Taiwan, Thailand, and Indonesia to target users in Italy, Portugal, Hong Kong, Spain, and Peru. The latest iteration, discovered by Intel 471, incorporates enhanced evasion techniques and a more resilient command-and-control (C2) mechanism to maintain persistent operations.

Attack Details

TgToxic is distributed via malicious dropper APK files, likely delivered through SMS phishing (smishing) campaigns or deceptive websites. The malware is engineered to steal credentials, hijack user interfaces, and conduct unauthorized financial transactions. Recent modifications include enhanced emulator detection, advanced C2 communication strategies, and the use of a domain generation algorithm (DGA). The malware performs a comprehensive evaluation of device properties such as brand, model, manufacturer, and system fingerprint values to detect virtualized environments, making it harder for researchers to analyze the payload in a controlled setting. Instead of hard-coded domains, the latest variant leverages community forums (e.g., Atlassian developer forums) as dead drop resolvers, embedding encrypted C2 addresses within user profiles. This allows for seamless updates to C2 domains without modifying the malware. Later versions detected in December 2024 employ a DGA to dynamically create new C2 domains, increasing resilience against takedown efforts by security teams.

Remediation

To mitigate the risk posed by TgToxic, organizations and individual users should take the following precautions: 

1. Avoid Unknown APK Installations: Only download apps from trusted sources such as the Google Play Store and disable the installation of apps from unknown sources in device settings.
2. Monitor Permissions: Be cautious of apps requesting excessive permissions, particularly those requiring Accessibility Services, which are often exploited for malicious activity.
3. Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of security, reducing the risk of unauthorized access even if credentials are compromised.
4. Keep Devices and Apps Updated: Regularly update the operating system and applications to patch vulnerabilities that malware may exploit.
5. Implement Security Solutions: Use mobile security software capable of detecting and blocking advanced threats and enable behavioral analysis tools that monitor unusual app activities.
6. Educate Users on Smishing Risks: Train users to recognize phishing attempts and avoid clicking on suspicious links in SMS messages.

The continued evolution of TgToxic highlights the need for proactive security measures. Organizations and users must remain vigilant and adopt robust defense strategies to counter this ever-adapting threat.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: TgToxic Banking Trojan Variant Evolves with Anti-Analysis Upgrades

References

• Android trojan TgToxic updates its capabilities. (2025, February 25). Retrieved from Intel 471. https://intel471.com/blog/android-trojan-tgtoxic-updates-its-capabilities#:~:text=TgToxic%20is%20an%20Android%20banking,from%20banking%20and%20finance%20apps.
• The Hacker News. (n.d.). New TgToxic Banking Trojan Variant Evolves with Anti-Analysis Upgrades. Retrieved from The Hacker News https://thehackernews.com/2025/02/new-tgtoxic-banking-trojan-variant.html#:~:text=Cybersecurity%20researchers%20have%20discovered%20an%20updated%20version%20of,continuously%20making%20changes%20in%20response%20to%20public%20reporting.