The ToxicPanda Android malware has infected over 1,500 devices, enabling attackers to perform fraudulent banking transactions.
Cleafy researchers spotted a new Android banking malware, dubbed ToxicPanda, which already infected over 1,500 Android devices.
The ToxicPanda malware shares some bot command similarities with the TgToxic trojan family was observed spreading in Southeast Asia. However, the malicious code diverges considerably from TgToxic’s original source code.
The Android malware is designed to initiate account takeovers and carry out fraudulent money transfers from infected devices. Using On-Device Fraud (ODF) techniques, it bypasses bank security measures, including identity verification and behavioral detection. Though still in early development, with incomplete code elements, ToxicPanda has infected thousands of devices across Italy, Portugal, Spain, and Latin America, targeting 16 banks.
The experts speculate the threat actors behind this malware campaign are likely Chinese-speaking individuals, similar to those behind the TgToxic attacks. The researchers pointed out that it is unusual for Chinese threat actors to conduct “banking fraud” campaigns aimed at users in Europe and LATAM, and warn that this circumstance indicate a potential shift or expansion in their operational focus.
“ToxicPanda’s main goal is to initiate money transfers from compromised devices via account takeover (ATO) using a well-known technique called On-Device fraud (ODF). It aims to bypass bank countermeasures used to enforce users’ identity verification and authentication, combined with behavioral detection techniques applied by banks to identify suspicious money transfers.” reads the report published by Cleafy.
“According to its source code, ToxicPanda is in an early stage of development, with some commands appearing as placeholders without a real implementati”
ToxicPanda, similar to other banking trojans like Medusa, BingoMod, and Copybara, uses a manual approach allowing attackers target any bank customer, requiring less technical skill, and helping them to bypass banks’ behavioral detection defenses.
“From a technical standpoint, this sample exhibits reduced capabilities, especially compared to modern banking trojans. However, the notable differences between this sample and its “ancestor”, TGToxic, are intriguing. Most commands are either not implemented or exhibit poor refactoring, suggesting that TGToxic served as a foundational template for this malware. The removal of the Automatic Transfer System (ATS) routine and reduced obfuscation routines indicates a downgrade in technical sophistication.” continues the report. “These changes may reflect the developers’ inexperience with foreign targets and the challenges of stricter regulations in certain countries, such as PSD2 (Payment Services Directive).”
ToxicPanda malware uses Android’s accessibility services to gain elevated permissions, enabling remote control for fraudulent transactions and account modifications. The Android malware can intercept one-time passwords (OTPs) to bypass two-factor authentication (2FA) and employs advanced obfuscation techniques to evade detection, making it highly effective for banking fraud through On-Device Fraud (ODF).
ToxicPanda can also access phone albums, convert images to BASE64, and transmit them back to the C2 server. This technique has already been observed in other malware, like TrickMo, and allows gathering potentially sensitive information (e.g., screenshots containing login credentials or virtual cards) from the infected devices.
“ToxicPanda significantly overlaps the command names utilised in the TgToxic malware family. Our analysis identified 61 commands common to both, with highly distinctive names that suggest their presence in both malware is unlikely to be coincidental. This overlap indicates that the same TA (or closed affiliates) could be behind both malware.” continues the report. “Conversely, ToxicPanda introduces 33 new commands, some lacking implementation.”
ToxicPanda uses three hard-coded domains—dksu[.]top, mixcom[.]one, and freebasic[.]cn—to connect with its Command and Control server. Unlike advanced malware, it lacks dynamic techniques like Domain Generation Algorithms (DGA), relying instead on static domains embedded in its code.
The experts were able to access the C2 dashboard and telemetry data, revealing the full extent of this campaign. Italy is the main target of ToxicPanda, with 56.8% of infections, indicating a strategic focus. Portugal follows with 18.7%, and Hong Kong at 4.6% suggests emerging Asian targets. Spain and Peru, at 3.9% and 3.4%, indicate a potential expansion into Latin America.
“An important question arising from this analysis is not just how to defend against threats like ToxicPanda but why contemporary antivirus solutions have struggled to detect a threat that is, in technical terms, relatively straightforward. Although there is no single answer, the lack of proactive, real-time detection systems is a primary issue.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, ToxicPanda)