Cybersecurity researchers have identified an updated version of the TgToxic (aka ToxicPanda) Android malware, highlighting ongoing modifications to evade detection and improve capabilities. Originally documented in early 2023, the malware is a banking trojan that steals credentials and funds from crypto wallets and finance apps. Initially targeting users in Taiwan, Thailand, and Indonesia, its scope expanded to Italy, Portugal, Hong Kong, Spain, and Peru by November 2024.

Intel 471's latest findings reveal that TgToxic is distributed via dropper APKs, possibly through SMS messages or phishing websites. The malware features enhanced emulator detection and a new C2 domain generation mechanism, making analysis more challenging. Instead of hard-coded domains, attackers now use bogus profiles on the Atlassian community developer forum to store encrypted C2 addresses, allowing seamless updates without modifying the malware. This approach extends the malware's operational lifespan while bypassing traditional detection methods.

‍