Cyber Crime

ToxicPanda Banking Malware Attacking Banking Users To Steal Logins

Recent research has uncovered a new strain of malware developed for Android devices, initially misidentified as TgToxic. 

Despite sharing some bot command similarities, this malware, now dubbed ToxicPanda, exhibits significant code divergence from its original source.

It lacks key TgToxic capabilities and possesses placeholder commands without functional implementation. 

The malware leverages Remote Access capabilities to enable Account Takeover (ATO) via On Device Fraud (ODF), allowing threat actors to bypass detection and target a wide range of banking customers, even with less sophisticated techniques.

ToxicPanda botnet, likely operated by Chinese-speaking threat actors, infected over 1,500 Android devices, primarily in Italy, Portugal, Spain, France, and Peru, indicating a potential shift in their targeting strategy.

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

The banking trojan sample shows reduced technical capabilities compared to its ancestor, TGToxic, likely due to the developers’ inexperience with new targets and stricter regulations, leading to simplified obfuscation and the removal of advanced features like ATS.

Identified ToxicPanda’s icons

A sophisticated Android banking trojan leverages accessibility services to gain elevated privileges, remotely control infected devices, intercept OTPs, and employ obfuscation techniques to evade detection.

This enables attackers to execute on-device fraud and steal sensitive financial information.

The APK contains configuration files targeting specific Android systems and vendors. It aims to block user interactions with system settings and security permissions by identifying and interfering with system-level applications and utilities.

The “langs.json” file is parsed during execution to match target devices based on a Chinese string and application package, potentially revealing target countries through language associations (e.g., Spanish and LATAM). 

Blocking interaction with unwanted applications

The malware accesses phone albums, converts images to BASE64, and sends them to a C2 server, stealing sensitive information like login credentials and virtual card details.

Its configuration file reveals the use of a Chinese public DNS service (114DNS) for communication, which suggests potential ties to Chinese threat actors and indicates that this region might be a testing ground for the malware’s operations. 

Network configuration settings (config.toml)

ToxicPanda and TgToxic share 61 unique commands, suggesting a potential link between their developers. While ToxicPanda introduces new commands and lacks implementation for some TgToxic commands, particularly those related to UI automation, the overlap in command names is highly suspicious.

According to Cleafy, ToxicPanda malware uses three fixed domains (dksu[.]top, mixcom[.]one, freebasic[.]cn) to connect with its C2 server, lacking the sophistication of dynamic C2 endpoint determination techniques like DGAs or configuration updates.

It initially connects to a hardcoded C2 domain, where the C2 server can remotely change this domain via a command.

After the initial HTTPS connection, a JSON response establishes a WebSocket connection for further communication. 

Bot’s registration on the C2 server

While the ToxicPanda C2 panel investigation provided crucial insights into TA operations, including techniques, compromised devices, and actions on infected devices. 

The ToxicPanda C2 panel’s “Machine Management” interface provides detailed information about each compromised Android device, enabling fraud operators to efficiently manage the botnet and target specific devices for fraudulent activities.

It is controlled through a web-based interface and enables remote device control, script updates, and ODF attacks by predominantly targeting Italian devices.

It has a significant presence in Portugal, Hong Kong, Spain, and Peru, suggesting a widening geographic scope.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Aman Mishra

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

24 mins ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

13 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

17 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

17 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

18 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

20 hours ago