Trend Micro revealed an ongoing malware campaign active since July 2022. The campaign involves targeting cryptocurrency wallets, dubious money transfers, and credential stealing from banking and financial apps of Android users in Taiwan, Thailand, and Indonesia.
Campaign timeline
According to researchers, threat actors are using malware named TgToxic wrapped as fake apps and advertise these apps using phishing/smishing links.
- During the campaign’s initial days, the threat actors made fraudulent posts on Facebook, with an embedded phishing link to target Taiwanese users via social engineering.
- In late August and October 2022, they used sextortion and cryptocurrency phishing websites to target potential victims in Taiwan and Indonesia.
- From November 2022 to January 2023, they used smishing links to target Thailand users and crypto phishing websites to target Indonesian users.
These phishing, sextortion, and cryptocurrency scams had already raised attention in the local media and were reported on Facebook among popular communities.
Automated tasks with Easyclick
Threat actors abuse a legitimate test framework called Easyclick to write their own automation script via JavaScript.
- Criminals write scripts to hijack an Android device’s UI automatically to automate functions such as clicks and gestures.
- TgToxic scans for cryptocurrency wallets and bank apps and steals the credentials entered by users.
- Cybercriminals then use these acquired credentials to make small transactions using the official app without needing the user’s approval or acknowledgment.
- Moreover, the malware is capable of stealing users' personal information via SMS and installing apps.
Ending notes
The TgToxic malware is not very sophisticated, however, it is still rapidly evolving and threat actors are adding new functions. Amalgamating it with an automation framework like Easyclick makes it even more challenging for the cybersecurity experts. It has the potential to scale up its activities rapidly, and develop into a sophisticated malware targeting multiple geographical regions.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/0089_shutterstock_1092152978_1.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_594754214.jpg)
