One wrong SMS can wipe your savings, thanks to this Android Trojan

Last updated: 25 February 2025
banking trojan
Image by Cybernews

A sophisticated new malware campaign is preying on Android devices to steal money, an investigation has shown.

A dangerous Android malware designed to steal sensitive credentials, access cryptocurrencies stored in digital wallets, and wipe savings from banking or finance apps has recently been noticed spreading its zone of influence.

Disguised as legitimate software, the malware silently lurks, waiting for users to enter their online banking credentials – which can later be exploited to drain their accounts.

ADVERTISEMENT

First discovered in 2022, the TgToxic trojan primarily targeted Southeast Asian mobile users via phishing sites and compromised social media accounts. Malware often masquerades as dating, messaging, or financial apps.

However, the attackers have improved their toolset to expand their attacks on devices globally. The new findings by Intel 471’s Malware Intelligence team suggest that European and Latin American banks have been included in the list of applications targeted by the trojan.

“This effort to broaden the malware’s reach suggests a calculated attempt to engage new markets and demographic groups beyond its original targets in Southeast Asia,” say researchers.

“This effort to broaden the malware’s reach suggests a calculated attempt to engage new markets and demographic groups beyond its original targets in Southeast Asia.”

A shift in attack tactics

The previous version of the TgToxic malware used 25 community forums to host encrypted malware configurations, as the forums’ reputations helped to bypass security measures.

The actors created user accounts on the forums and embedded specific encrypted strings within the user profiles, from which malware bots could retrieve the final command-and-control (C2) URL.

However, the researchers have discovered that a new trojan version is now being circulated, using a domain generation algorithm (DGA) to obtain C2 URLs. “This shift may have been triggered by the reporting and subsequent removal of the dead drop accounts from various forums,” researchers claim.

ADVERTISEMENT

Using a DGA to periodically generate new domain names used as C2 servers increases the resilience of the malware, as it is harder to disrupt the malicious communication between the device and hacker-controlled servers. If cybersecurity specialists take down some domains, attackers can quickly switch to new ones.

vilius Ernestas Naprys Gintaras Radauskas Paulina Okunyte
Don’t miss our latest stories on Google News
Google News Follow us

How does the Android trojan take over devices?

  • A user receives a phishing SMS with a malicious link. Once clicked, it downloads TgToxic malware.
  • The malware thoroughly evaluates the device’s hardware and system capabilities to detect the virtual environment on the device, such as the presence of a Quick Emulator (QEMU).
  • The trojan pretends to be a Google Chrome application to evade detection and uses Domain Generation Algorithms to connect to the C2 server.
  • Then, TgToxic starts encrypted communication with the C2, using HTTPS requests over port 443. The C2 response then instructs TgToxic to switch communications over to websockets using a port included in the response.
  • While running in the background, the malware keylogs credentials and other sensitive information.

Android trojans are extremely dangerous

The risk of being attacked by Android trojans that target users’ financial apps has been on the rise. According to CheckPoint, Android users are most often attacked by the Anubis trojan, which is disseminated by Russia-linked hackers. Distributed through malicious apps on the Google Play Store, it enables extensive surveillance and control over infected systems.

Last year, cybersecurity experts detected a couple of severe threats. In October 2024, a new version of the Cerberus Android banking trojan was detected. The new version of the malware poses a huge threat, as it could not be detected by any antivirus software.

In April 2024, cybersecurity experts identified another new malware family, Brokewell, targeting Android users. The discovered malware is extremely hazardous, allowing attackers to access all assets available through banking apps remotely.

How to protect your Android from trojan malware

ADVERTISEMENT
  • Always install applications from official app stores.
  • In your Android settings, disable "Allow from Unknown Sources" to prevent the installation of applications from unauthorized sources.
  • Always monitor what permissions you grant to Android apps. It might be a red flag if apps request a considerable number of permissions, especially if the app requests “Accessibility services” permission.
  • If your organization uses Android devices in its network, you should use mobile device management (MDM) software to boost corporate security.
  • For an additional level of security on corporate devices, use a list of preapproved apps to minimize the risk of installing a malicious app.
  • While portable devices often escape the security controls of traditional local networks, mobile threat defense software is used to monitor and manage traffic directly on devices.
  • Consider deploying the indicators of compromise (IoCs) for timely detection of potential threats.
  • Provide regular cybersecurity training for employees to spot phishing SMS messages with malicious links.

Share
Post
Share
Share
Share
More from Cybernews
Think tank, funded by Apple, Google, etc., slams European big tech regulations
New VanHelsing RaaS hits three victims, demands $500,000 in bitcoin
Adolescence, Netflix’s new miniseries, has reignited old fears
China’s Starlink problem: smuggled dishes fueling Myanmar scam networks
Ransomware hackers are desperate lying liars
Ukrainian Railways hit with ambitious cyberattack, traffic unscathed
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked