A long-running malware campaign that uses the TgToxic banking trojan has targeted a new set of Android users. The ongoing malware campaign has been active since July last year.
Based on reports, the cybercriminal operation involves targeting crypto wallets, credential stealing, and suspicious money transfers from financial and banking applications of Android users in Indonesia, Taiwan, and Thailand.
The malware operators obfuscate their malware by wrapping it up as fake applications and advertising the apps using smishing and phishing links. They also create fraudulent posts on Facebook, including phishing links to target Taiwanese via social engineering techniques during the first days of their campaign.
However, the actor used a different approach in late August and October last year by using sextortion and crypto phishing websites to target victims in Indonesia and Taiwan.
Subsequently, the actors employed another strategy by using smishing links to target Thai users and cryptocurrency phishing websites to target Indonesian users earlier this year.
Concerned individuals had already posted this sextortion, crypto scams, and phishing campaigns on numerous social media platforms to spread awareness.
The TgToxic banking trojan operators have also used automated tasks to make their attacks more hostile.
Research revealed that the TgToxic banking trojan actors exploited the legitimate test framework, Easyclick, to code their automation script through JavaScript.
Experts explained that criminals code scripts to hijack an Android UI automatically to automate functions such as gestures and clicks. Additionally, the TgToxic scans for bank apps and crypto wallets and steals the credentials inputted by their targeted user.
These threat actors then use these stolen credentials to make minor transactions using the legitimate app without user approval. The malware could also steal a user’s personal information through SMS and tricking users into installing applications.
The TgToxic banking trojan lacks sophistication, but its operators have constantly been applying new updates that make it a threat to many users. One example of its upgrade is the application of the automation framework that makes it more difficult for researchers to spot.
Experts claimed that this banking trojan could potentially be a more significant threat and could soon spread to new regions.