Banking Trojan TgToxic Targets Android Users in Southeast Asia

Trend Micro revealed an ongoing malware campaign active since July 2022. The campaign involves targeting cryptocurrency wallets, dubious money transfers, and credential stealing from banking and financial apps of Android users in Taiwan, Thailand, and Indonesia.

Campaign timeline

According to researchers, threat actors are using malware named TgToxic wrapped as fake apps and advertise these apps using phishing/smishing links.

During the campaign’s initial days, the threat actors made fraudulent posts on Facebook, with an embedded phishing link to target Taiwanese users via social engineering.
In late August and October 2022, they used sextortion and cryptocurrency phishing websites to target potential victims in Taiwan and Indonesia.
From November 2022 to January 2023, they used smishing links to target Thailand users and crypto phishing websites to target Indonesian users.

These phishing, sextortion, and cryptocurrency scams had already raised attention in the local media and were reported on Facebook among popular communities.

Automated tasks with Easyclick

Threat actors abuse a legitimate test framework called Easyclick to write their own automation script via JavaScript.

Criminals write scripts to hijack an Android device’s UI automatically to automate functions such as clicks and gestures.
TgToxic scans for cryptocurrency wallets and bank apps and steals the credentials entered by users.
Cybercriminals then use these acquired credentials to make small transactions using the official app without needing the user’s approval or acknowledgment.
Moreover, the malware is capable of stealing users’ personal information via SMS and installing apps.

Ending notes

The TgToxic malware is not very sophisticated, however, it is still rapidly evolving and threat actors are adding new functions. Amalgamating it with an automation framework like Easyclick makes it even more challenging for the cybersecurity experts. It has the potential to scale up its activities rapidly, and develop into a sophisticated malware targeting multiple geographical regions.

Kommentar verfassen Kommentieren abbrechen

London, GB

9:32 am, Juli 13, 2025

17°C

L: 16° | H: 19°

Fühlt sich an wie 17°C° overcast clouds

Luftfeuchtigkeit: 84 %

Druck: 1013 mb

Wind: 8 mph NE

Windböe: 0 mph

UV-Index: 0

Niederschlag: 0 mm

Wolken: 100%

Regen Chance: 0%

Sichtbarkeit: 10 km

Sonnenaufgang: 4:58 am

Sonnenuntergang: 9:13 pm

TäglichStündlich

Tägliche VorhersageStündliche Vorhersage

Today 10:00 pm

16° | 19°°C 0 mm 0% 6 mph 82 % 1013 mb 0 mm/h

Tomorrow 10:00 pm

19° | 27°°C 0 mm 0% 15 mph 71 % 1015 mb 0 mm/h

Di. Juli 15 10:00 pm

15° | 22°°C 1 mm 100% 17 mph 85 % 1016 mb 0 mm/h

Mi. Juli 16 10:00 pm

14° | 27°°C 0.11 mm 11% 11 mph 85 % 1017 mb 0 mm/h

Do. Juli 17 10:00 pm

18° | 27°°C 1 mm 100% 13 mph 95 % 1015 mb 0 mm/h

Today 10:00 am

19° | 22°°C 0 mm 0% 4 mph 82 % 1013 mb 0 mm/h

Today 1:00 pm

21° | 27°°C 0 mm 0% 3 mph 70 % 1013 mb 0 mm/h

Today 4:00 pm

26° | 30°°C 0 mm 0% 0 mph 46 % 1011 mb 0 mm/h

Today 7:00 pm

27° | 27°°C 0 mm 0% 6 mph 31 % 1008 mb 0 mm/h

Today 10:00 pm

23° | 23°°C 0 mm 0% 6 mph 40 % 1010 mb 0 mm/h

Tomorrow 1:00 am

19° | 19°°C 0 mm 0% 5 mph 40 % 1011 mb 0 mm/h

Tomorrow 4:00 am

20° | 20°°C 0 mm 0% 5 mph 52 % 1010 mb 0 mm/h

Tomorrow 7:00 am

19° | 19°°C 0 mm 0% 9 mph 71 % 1011 mb 0 mm/h

Name	Preis	24H (%)
Bitcoin(BTC)	€100,860.03	0.00%
Ethereum(ETH)	€2,531.76	-0.32%
XRP(XRP)	€2.40	1.22%
Fesseln(USDT)	€0.86	-0.01%
Solana(SOL)	€139.01	-0.32%
USDC(USDC)	€0.86	0.00%
Dogecoin(DOGE)	€0.170215	-1.21%
Shiba Inu(SHIB)	€0.000011	-1.35%
Pepe(PEPE)	€0.000010	-2.05%
Peanut das Eichhörnchen(PNUT)	€0.246209	7.19%

Banking Trojan TgToxic Targets Android Users in Southeast Asia

Teilen:

Campaign timeline

Automated tasks with Easyclick

Ending notes

Kommentar verfassen Kommentieren abbrechen

Verbindung zum Dienstprogramm

Nützlicher Link

Newsletter

Folgen Sie uns