TgToxic Malware’s Automated Framework Targets Southeast Asia Android Users
Conclusion
Despite having different deployment periods, we found the social media phishing campaigns and network infrastructure targeting Taiwan, Indonesia, and Thailand similar. When the victim downloads the fake app from the website given by the threat actor, or if victim tries to send a direct message to the threat actor through messaging apps such as WhatsApp or Viber, the cybercriminal deceives the user into registering, installing the malware, and enabling the permissions it needs. Once granted, the phone is automatically controlled by the malicious actors, and the legitimate apps and their respective assets in the device become at risk.
Looking at the analysis, the malware in itself is not sophisticated but interesting. The abuse of legitimate automation frameworks like Easyclick and Autojs can make it easier to develop sophisticated malware, especially for Android banking trojans that can abuse Accessibility services. The complexity of the frameworks also makes it difficult to reverse engineer for analysis. It is highly likely that due to the framework’s convenience and anti-reverse engineering features, more threat actors can take advantage and use this method in the future.
Looking at the malicious actors, we determined that the group or individual responsible for this campaign is new at this, but relatively informed with the ongoings in the region and targets as there are components reflecting the familiar use of traditional and simplified Chinese. One interesting detail we observed is that there are a lot of scams abusing the themes of allowance assistance distribution in Taiwan in August 2022. While the official agency had and continuously warned the public about these scams, mainstream news coverage was not as widely distributed and did not offer details that we could use for our investigation.
While we also have an insight on deployments and attempts to victimize, there is little information on the actual number of victims on the ground. The growing threat intelligence and capability of devices at detecting these kinds of threats have improved, coupled with users’ grown awareness of the fact that they can avoid threats like these (i.e., by not downloading from unofficial platforms), and make it easier to prevent these types of malware infections. As additional precautions to avoid becoming a victim of these kinds of threats, here are some signs of infections to watch for and best practices:
- Avoid installing apps from unknown sources and platforms. Do not click on apps, installers, websites directly embedded in SMS or emails, especially from unknown senders.
- Do not enable sensitive permissions such as Accessibility services from and for enabling and/or download of unknown apps.
- For signs of malware infection, battery drain of devices despite the user’s non-usage is a red flag of potential malware infection.
Trend Micro solutions
Trend Micro Mobile Security Solutions can scan mobile devices in real time and on demand to detect malicious apps, sites, or malware to block or delete them. These solutions are available on Android and iOS, and can protect users’ devices and help them minimize the threats brought by fraudulent applications and websites such as TgToxic.
Indicators of compromise (IOCs)
For a full list of the IOCs, find the list here.