TgToxic Malware under the hoods

Researchers have discovered a campaign involving malware dubbed TgToxic that targets cryptocurrency wallets, dubious money transfers, and credentials stealing from banking and financial apps of Android users in Taiwan, Thailand, and Indonesia.

In one of campaign, the threat actors have made fraudulent posts on Facebook, with an embedded phishing link to target Taiwanese users via social engineering.

Later in another campaign, they used sextortion and cryptocurrency phishing websites to target potential victims in Taiwan and Indonesia. These phishing, sextortion, and cryptocurrency scams had already raised attention in the local media and were reported on Facebook among popular communities.

Threat actors abuse a legitimate test framework called Easyclick to write their own automation script via JavaScript and hijack an Android device’s UI automatically to automate functions such as clicks and gestures.

TgToxic scans for cryptocurrency wallets and bank apps and steals the credentials entered by users. By using the acquired credentials to make small transactions using the official app without needing the user’s approval or acknowledgment. It is capable of stealing users’ personal information via SMS and installing apps.

TgToxic malware keeps evolving, and threat actors are adding new functions. It has the potential to scale up its activities rapidly and develop into sophisticated malware, targeting multiple geographical regions.