Android Users Should Beware of TgToxic Mobile Malware
TgToxic is the name of a new strain of mobile malware monitored by a team of security researchers. The threat has been around since mid-2022 at the latest and is targeting victims located in Asia.
The team monitoring TgToxic first spotted fake Facebook posts that contained an embedded link to a phishing page. The lure was aimed at Taiwanese Facebook users and used clever social engineering tricks.
Roughly a month later, Taiwanese and Indonesian users became the target of a sextortion scam that aimed to get victims to register on a malicious page and steal their information in the process. SMS phishing or smishing attacks were used by what is believed to be the same threat actor and campaign in early 2023. The victims were Thai citizens.
The original fraudulent Facebook posts and the fake dating website used in the second wave of the TgToxic campaign used similar domains and likely shared some of their infrastructure. In 2023, the new lures used by the hackers behind TgToxic were trying to steal banking information from Thai users.
Table of Contents
Technical aspects of TgToxic
Curiously, the TgToxic malware turned out to be based on a legitimate "automation test framework" named Easyclick. The application uses JavaScripts that are supposed to provide automation, but when used malicoiusly hijacked an Android device's interface and allowed the threat actors to monitor used activity, such as onscreen keyboard inputs.
The fact that is uses the automation framework as its base means that the hackers operating TgToxic can come up with their own code that can allow them further malicious activities on the compromised devices.
The malware is under active development and is being expanded with new features and capabilities, including more data collection and account hijacking options.
Why are mobile banking trojans a major security threat?
Mobile banking trojans are a major security threat because they are designed to steal sensitive information from mobile devices. These malicious programs can be used to intercept text messages, access contact lists, and even gain access to bank accounts. They can also be used to install other malicious software on the device, such as ransomware or spyware. Mobile banking trojans are particularly dangerous because they often go undetected by antivirus software and can remain on the device for long periods of time without being detected. Additionally, these malicious programs can be difficult to remove once installed, making them a major security risk for users of mobile devices.
What are smishing malicious campaigns?
Smishing malicious campaigns are a type of cyber attack that uses text messages (SMS) to try and trick users into providing sensitive information or downloading malicious software. The attacker will typically send out a message that appears to be from a legitimate source, such as a bank or other financial institution, asking the user to click on a link or provide personal information. If the user clicks on the link, they may be taken to a malicious website where malware is downloaded onto their device, or they may be asked for personal information such as passwords or credit card numbers. Smishing attacks can also involve sending messages containing malicious links that can infect devices with malware when clicked.
