Malware
TgToxic Malware’s Automated Framework Targets Southeast Asia Android Users
We look into an ongoing malware campaign we named TgToxic, targeting Android mobile users in Taiwan, Thailand, and Indonesia since July 2022. The malware steals users’ credentials and assets such as cryptocurrency from digital wallets, as well as money from bank and finance apps. Analysing the automated features of the malware, we found that the threat actor abused legitimate test framework Easyclick to write a Javascript-based automation script for functions such as clicks and gestures.
We analysed an ongoing campaign that has been targeting Android users in Southeast Asia since July 2022. Its goal is to steal victims’ assets from finance and banking applications (such as cryptocurrency wallets, credentials for official bank apps on mobile, and money in deposit), via a banking trojan we named TgToxic (detected by Trend Micro as AndroidOS_TgToxic based on its special encrypted filename) embedded in multiple fake apps. While previously targeting users in Taiwan, we observed the fraudulent activities and phishing lures targeting users from Thailand and Indonesia as of this writing. Users are advised to be wary of opening embedded links from unknown email and message senders, and to avoid downloading apps from third party platforms.
Tracking: Timeline via Network Infrastructure
We have been monitoring this campaign since the second half of 2022 due to its moving deployment and targeting. Here’s a brief summary of the campaign’s timeline, and the subsequent sections go over some of the details involved:
- July 2022: Fraudulent posts appeared on Facebook with an embedded phishing link targeting Taiwanese users on the social media platform via social engineering
- Late August-October 2022: Sextortion scams also target Taiwanese and Indonesian users, enticing them to register in order for the malicious actors to steal their credentials
- November 2022-January 2023: Smishing links target Thai users. Some phishing websites used during this period also show the threat actors further expanding their activities to Indonesia with a cryptocurrency scam.
Early Activities: Fraud Via Facebook
In July 2022, we found two potentially hacked Facebook accounts advertising scam messages on some Taiwanese community groups claiming users could get an allowance for hurricane, flood, and COVID victims’ assistance. The posts cited that users could register in download.tw1988[.]link to apply, which is in fact a phishing site. Unwitting users could have been victimised as the link masqueraded as the official government website https://1988.taiwan.gov.tw/ used to provide allowances for people in difficult situations.
Supplementary Scams: Sextortion and Cryptocurrency
Tracking the network infrastructure used by TgToxic, we subsequently found the threat actors also behind sextortion and cryptocurrency scams in Taiwan and Indonesia. The malicious apps could also be downloaded from the same website down[.]tw1988[.]link and masqueraded as dating, messaging, lifestyle, or cryptocurrency-related apps to trick users into installing and enabling the permissions for it.
Recent Activities: Phishing in Thailand
As we continued monitoring TgToxic malware and its network infrastructure, we found that in some weeks toward the end of 2022 to early January 2023, the cybercriminals behind the campaign began targeting Thai users with similar sextortion and phishing lures observed targeting Taiwanese users, and the group started to add malicious code to steal credentials from bank applications. We also found both schemes already raising attention in the local media and were reported on Facebook amongst popular communities.
The phishing, sextortion, and cryptocurrency scams connect to the latest deployment samples of TgToxic malware as they all download from the same website, down[.]tw1988[.]link. Observing the communications to and from the command and control (C&C) servers, the C&C for these apps and malware changed from api[.]tw1988[.]link to test[.]ja7[.]site, and later to us[.]ja7[.]site corresponding the change of targeting from Taiwan to Thailand.
Technical Analysis of TgToxic
We analysed that the malware TgToxic was developed based on a legitimate automation test framework called Easyclick, which supports writing automation script via JavaScript. This script can be used to hijack an Android device’s user interface (UI) automatically to automate functions such as monitoring of user input and performing clicks and gestures.
With the said framework, TgToxic can develop its own automation script to hijack cryptocurrency wallets and bank apps by stealing the user’s credentials as the victim places their username and password. Once the credentials are acquired, the cybercriminals can make small transactions using the official app without needing the user’s approval or acknowledgement. Like other banking malware, TgToxic can also steal users' personal information via SMS and installed apps, which can be used to select targeted victims by further scanning if the device stores apps the threat actors are interested in abusing.
Currently, TgToxic is still rapidly evolving and continues to add new functions, copying more apps to steal credentials and adapt to different app UIs, and collecting more information from victims. For this analysis, we took the latest sample that targeted mobile users in Thailand to analyse.
Code obfuscation and payload encryption
TgToxic malware uses two methods to evade detection and analysis, and we divide this into two parts:
- Code Obfuscation: TgToxic obfuscates the classes’ names, method name, and fields name, which make it harder for some analysts to reverse engineer.
- Payload Encryption: TgToxic puts the Easyclick script in an asset file named “tg.iapk”, which is an encrypted Zip file, and will dynamically read content from it when the app launches. The malware implements a fileless way to decrypt and load the payload, and adds an additional logic after unzipping.
Decrypt payload and abuse Accessibility service to hijack a device UI
As noted by the researchers of McAiden, tg.iapk is an encrypted.zip file. Through static analysis, we found that the decompression password is specially encoded and stored in the.zip comment section, which is usually used to record the.zip description. The content of this section will not affect the compressed content. To acquire the password for the.zip file, the contents of the comment section are decoded as specified in the code.
After decompression, we found that all files were binary files, and the first four bytes of all the files are “0x00092383”, which are specially encrypted files. Through reverse analysis, we located the decryption function. To hide the decryption details, key classes and key methods are invoked using reflection, and related symbol names are encrypted.
By analysing the decryption function, we get the format of the encrypted file. Encrypted files encoded the password and saved it at the beginning of the file (following the magic number) while saving the encrypted data at the end of the file. The password is decoded in the same way as the zip password is decoded.
Precompiled script running in runtime engine
The automation script is precompiled to Java and using the runtime of Rhino, an open source engine to run JavaScript in Java. Each switch branch in a call function is a JavaScript function, and we explain how the code runs with a simple function from the malware.
This function is used to collect the device information and send to the C&C server. It first iterates over a predefined variable “walletListAry”, which contains a list of package names of a cryptocurrency wallet that the threat actor is interested in. Then the malware calls “isAppExist” to check whether the app is in the system. If confirmed, the package name will be pushed into an array.
The malware then cheques the email applications in the same way and creates a.json object that includes the information it collects. The “apps” field contains package names of installed cryptocurrency wallets, and the “mails” field contains package names of installed email apps. Finally, it calls “JSON.stringify” to serialise the.json object into a string and calls “emitEnc” to send the information to the C&C server over WebSocket.
C&C communication and data exfiltration
The malware uses WebSocket as a C&C channel where the script executes. It will call “StartWs” to connect to the WebSocket server, then set “new_msg” event listener to receive and parse C&C commands. The full C&C command list used is listed as follows:
| Command | Command description/function |
|---|---|
| startCam | Opens camera |
| setCam | Takes a photo |
| stopCam | Closes camera |
| readContactList | Reads all contact |
| readAlbumList | Reads all album file names |
| readAlbumThumbnail | Reads all album thumbnails |
| readSmsList | Reads all SMS |
| showShortcuts | Adds icon on home screen |
| callAcc | Cheques if Android Accessibility service is enabled |
| callAppSetting | Opens app settings |
| openIntent | Opens floating tool bar |
| backstage | Cheques backstage service |
| requestfloaty | Applies for floating window permission |
| permission | Requests all permissions |
| permissionB | Auto approves permissions |
| reqAutoBoot | Auto restarts the device |
| reqFloaty | Auto approves float window permission |
| reqScreenPermission | Requests screen capture permission |
| reqPerList | N/A |
| updateApk | Instals apk |
| installApk | Downloads and instals apk |
| update | Updates Easyclick scripts |
| power | N/A |
| capture | Captures screenshot |
| screen_relay | Sets properties of screenshot |
| capturePic | Enables capture screenshot |
| home | Clicks home button via accessibility service |
| back | Clicks back button via accessibility service |
| recent | Clicks recent button via accessibility service |
| restartSc | Restarts easyclick script service |
| restartMe | Restarts app itself |
| awake | Keeps device awake |
| cancelAwake | Stops device from waking |
| wakeup | Keeps screen on |
| cancelWakeup | Keeps screen dim |
| setWakeup | Sets timer task to wakeup |
| swipePwdScreenOn | Forces use of pwd mode |
| swipePwdScreenOff | Disables forced use of pwd mode |
| catAllViewSwitch | N/A |
| reOpenMe | Reopens app itself |
| setDebugOn | Enables debug mode |
| setDebugOff | Disables debug mode |
| antiDeleteOn | Enables anti-delete |
| antiDeleteOff | Disables anti-delete |
| lockScreen | Locks screen |
| closeEnv | Sets accessibility status flag to false |
| blackB | N/A |
| black | Sets black overlay view |
| light | Removes black overlay view |
| inputSend | Captures input text |
| touchDown | Swipes down |
| touchMove | Swipes move |
| touchUp | Swipes up |
| rightClick | Clicks back button |
| clickInput | Clicks input box |
| gestureUnlock | Performs swipe up to unlock |
| gestureB | Performs a set of gestures |
| clickPoint | Performs click point |
| clickB | Performs click in a bound |
| clear | Excludes the pkg from recently used apps’ history |
| wallpaper | N/A |
| googleAuth | Steals Google auth 2FA code via Accessibility service and upload |
| emailList | Uploads installed email application list |
| Steals emails’ full messages and upload | |
| walletList | Uploads installed wallet applications’ list |
| fetchIcon | Fetches wallet apps icon |
| walletSend | Auto transfers balance via Accessibility service |
Another detail worth noting is that TgToxic will connect to different C&C servers depending on the infected device’s locale. While we continue tracking and have yet to find TgToxic activity in other regions or countries outside of the three we have identified so far, we believe that the malicious actors behind this deployment is trying to expand its activities to other countries based on the availability of these different servers.
The data is exfiltrated through the C&C channel. Taking SMS exfiltration as an example, the malware first calls “getSmsInPhone” to extract all SMS from the message inbox, then uploads the stolen data to the server via the WebSocket C&C channel.
Automatic permission grants and uninstallation prevention
TgToxic can hijack the system app to automatically grant itself permissions, as well as prevent uninstallation when the victim tries to uninstall the malware. Below is a list of system apps that the malware tries to hijack and its corresponding purposes:
| System app | Process | TgToxic hijacked function |
| Android System App | com.google.android.apps.authenticator |
Steal two-factor authentication (2FA) code |
| com.android.settings | Automatic permission grants and uninstallation prevention | |
| com.android.systemui | Steal lock screen pin code | |
| Security App | com.colour.safecenter |
Disable security apps to evade detection |
Control financial apps for automatic transfers
TgToxic implements automatic transfer service (ATS) to transfer money to the threat actors without the users knowing. The malware starts with secretly stealing passwords and unlocking gestures. When it detects the user having a wallet app, the malware will check for the specific activity and record via key logging if the user will input the password. It can also take screenshots if the user does a gesture to unlock the device.
Once it receives a “walletSend” command from the C&C server, the malware will put a full black screen overlay to prevent the victim from becoming aware of the malicious activities and transfers. It then opens the wallet application and collects the details such as chain type and balance. TgToxic will then simulate user clicks for transfers to specific recipients across all chain types through the Accessibility service:
- Check if chain type is “usdt” and enter wallet details
- Click the transfer button
- Input receiver address
- Input transfer money
- Enter transfer detail page
- Input password
- Click the “Confirm” button
Targeted applications
Here is a list of apps that the malware extracted victims’ information from, as studied from the latest samples targeting Thailand:
| Type | Package names | Function |
|---|---|---|
| Bank applications | Steal users’ credentials from Thai banking apps | |
| Cryptocurrency wallet applications | com.binance.dev |
Steal credentials and automate transfer of money |
| Email applications | com.acompli.acompli |
Steal email accounts and message content |
Conclusion
Despite having different deployment periods, we found the social media phishing campaigns and network infrastructure targeting Taiwan, Indonesia, and Thailand similar. When the victim downloads the fake app from the website given by the threat actor, or if victim tries to send a direct message to the threat actor through messaging apps such as WhatsApp or Viber, the cybercriminal deceives the user into registering, installing the malware, and enabling the permissions it needs. Once granted, the phone is automatically controlled by the malicious actors, and the legitimate apps and their respective assets in the device become at risk.
Looking at the analysis, the malware in itself is not sophisticated but interesting. The abuse of legitimate automation frameworks like Easyclick and Autojs can make it easier to develop sophisticated malware, especially for Android banking trojans that can abuse Accessibility services. The complexity of the frameworks also makes it difficult to reverse engineer for analysis. It is highly likely that due to the framework’s convenience and anti-reverse engineering features, more threat actors can take advantage and use this method in the future.
Looking at the malicious actors, we determined that the group or individual responsible for this campaign is new at this, but relatively informed with the ongoings in the region and targets as there are components reflecting the familiar use of traditional and simplified Chinese. One interesting detail we observed is that there are a lot of scams abusing the themes of allowance assistance distribution in Taiwan in August 2022. While the official agency had and continuously warned the public about these scams, mainstream news coverage was not as widely distributed and did not offer details that we could use for our investigation.
While we also have an insight on deployments and attempts to victimise, there is little information on the actual number of victims on the ground. The growing threat intelligence and capability of devices at detecting these kinds of threats have improved, coupled with users’ grown awareness of the fact that they can avoid threats like these (i.e., by not downloading from unofficial platforms), and make it easier to prevent these types of malware infections. As additional precautions to avoid becoming a victim of these kinds of threats, here are some signs of infections to watch for and best practises:
- Avoid installing apps from unknown sources and platforms. Do not click on apps, installers, websites directly embedded in SMS or emails, especially from unknown senders.
- Do not enable sensitive permissions such as Accessibility services from and for enabling and/or download of unknown apps.
- For signs of malware infection, battery drain of devices despite the user’s non-usage is a red flag of potential malware infection.
Trend Micro solutions
Trend Micro Mobile Security Solutions can scan mobile devices in real time and on demand to detect malicious apps, sites, or malware to block or delete them. These solutions are available on Android and iOS, and can protect users’ devices and help them minimise the threats brought by fraudulent applications and websites such as TgToxic.
Indicators of compromise (IOCs)
For a full list of the IOCs, find the list here.