Banking Trojan TgToxic Targets Android Users in Southeast Asia

Trend Micro revealed an ongoing malware campaign active since July 2022. The campaign involves targeting cryptocurrency wallets, dubious money transfers, and credential stealing from banking and financial apps of Android users in Taiwan, Thailand, and Indonesia.

Campaign timeline

According to researchers, threat actors are using malware named TgToxic wrapped as fake apps and advertise these apps using phishing/smishing links.

During the campaign’s initial days, the threat actors made fraudulent posts on Facebook, with an embedded phishing link to target Taiwanese users via social engineering.
In late August and October 2022, they used sextortion and cryptocurrency phishing websites to target potential victims in Taiwan and Indonesia.
From November 2022 to January 2023, they used smishing links to target Thailand users and crypto phishing websites to target Indonesian users.

These phishing, sextortion, and cryptocurrency scams had already raised attention in the local media and were reported on Facebook among popular communities.

Automated tasks with Easyclick

Threat actors abuse a legitimate test framework called Easyclick to write their own automation script via JavaScript.

Criminals write scripts to hijack an Android device’s UI automatically to automate functions such as clicks and gestures.
TgToxic scans for cryptocurrency wallets and bank apps and steals the credentials entered by users.
Cybercriminals then use these acquired credentials to make small transactions using the official app without needing the user’s approval or acknowledgment.
Moreover, the malware is capable of stealing users’ personal information via SMS and installing apps.

Ending notes

The TgToxic malware is not very sophisticated, however, it is still rapidly evolving and threat actors are adding new functions. Amalgamating it with an automation framework like Easyclick makes it even more challenging for the cybersecurity experts. It has the potential to scale up its activities rapidly, and develop into a sophisticated malware targeting multiple geographical regions.

Leave a Comment Cancel Reply

London, GB

1:38 am, Jul 11, 2025

20°C

L: 18° | H: 21°

Feels like 20°C° overcast clouds

Humidity: 75 %

Pressure: 1021 mb

Wind: 5 mph E

Wind Gust: 0 mph

UV Index: 0

Precipitation: 0 mm

Clouds: 96%

Rain Chance: 0%

Visibility: 10 km

Sunrise: 4:56 am

Sunset: 9:15 pm

DailyHourly

Daily ForecastHourly Forecast

Today 10:00 pm

18° | 21°°C 0 mm 0% 8 mph 74 % 1021 mb 0 mm/h

Tomorrow 10:00 pm

19° | 30°°C 0 mm 0% 10 mph 67 % 1019 mb 0 mm/h

Sun Jul 13 10:00 pm

18° | 31°°C 0 mm 0% 7 mph 69 % 1015 mb 0 mm/h

Mon Jul 14 10:00 pm

19° | 28°°C 1 mm 100% 17 mph 86 % 1016 mb 0 mm/h

Tue Jul 15 10:00 pm

15° | 26°°C 0 mm 0% 12 mph 69 % 1022 mb 0 mm/h

Today 4:00 am

17° | 19°°C 0 mm 0% 3 mph 74 % 1021 mb 0 mm/h

Today 7:00 am

20° | 20°°C 0 mm 0% 2 mph 67 % 1021 mb 0 mm/h

Today 10:00 am

27° | 27°°C 0 mm 0% 3 mph 45 % 1021 mb 0 mm/h

Today 1:00 pm

31° | 31°°C 0 mm 0% 4 mph 31 % 1020 mb 0 mm/h

Today 4:00 pm

31° | 31°°C 0 mm 0% 5 mph 26 % 1018 mb 0 mm/h

Today 7:00 pm

30° | 30°°C 0 mm 0% 6 mph 29 % 1017 mb 0 mm/h

Today 10:00 pm

23° | 23°°C 0 mm 0% 8 mph 49 % 1019 mb 0 mm/h

Tomorrow 1:00 am

21° | 21°°C 0 mm 0% 5 mph 56 % 1019 mb 0 mm/h

Name	Price	24H (%)
Bitcoin(BTC)	€98,741.15	3.89%
Ethereum(ETH)	€2,498.37	5.60%
Tether(USDT)	€0.85	-0.02%
XRP(XRP)	€2.15	4.41%
Solana(SOL)	€139.45	3.90%
USDC(USDC)	€0.85	-0.01%
Dogecoin(DOGE)	€0.165989	7.52%
Shiba Inu(SHIB)	€0.000011	6.29%
Pepe(PEPE)	€0.000010	11.96%
Peanut the Squirrel(PNUT)	€0.241874	21.13%

Banking Trojan TgToxic Targets Android Users in Southeast Asia

Share:

Campaign timeline

Automated tasks with Easyclick

Ending notes

Leave a Comment Cancel Reply

Utility link

Useful link

Newsletter

Follow Us