In a recent discovery, cybersecurity researchers have identified a new Android banking trojan called “ToxicPanda,” originating in Asia and now spreading across Europe and Latin America. Initially related to a trojan family known as TgToxic, ToxicPanda has emerged as a distinct threat with unique attack patterns. Its primary objective is to conduct account takeover (ATO) attacks, exploiting device accessibility features to manipulate banking transactions directly on compromised devices. The trojan’s entry into new regions signifies an evolving threat landscape and points to a strategic shift by threat actors towards Western financial targets.
The Emergence of ToxicPanda
First detected in mid-2024, ToxicPanda was initially mistaken for TgToxic due to code similarities. However, closer inspection by Cleafy’s Threat Intelligence team revealed significant deviations, particularly in the trojan’s command infrastructure and functionalities. The malware uses the well-known “On-Device Fraud” (ODF) method, allowing threat actors to bypass standard authentication and verification protocols by directly executing transactions on infected devices. ToxicPanda is still in early development stages, with portions of the code remaining unimplemented, suggesting that it is likely to evolve further in sophistication.
Spread and Targeting
This malware has already infected over 1,500 Android devices, with hotspots in Italy, Portugal, Spain, France, and Peru. ToxicPanda targets retail banking customers in these regions, likely exploiting side-loading and social engineering to infect devices. The attack’s expansion into Europe and Latin America indicates that the threat actors behind it are widening their scope, diverging from traditional targeting practices.
Key Features of ToxicPanda
- Accessibility Service Abuse: ToxicPanda exploits Android’s accessibility features to obtain elevated permissions, allowing it to control inputs and capture data from other apps—particularly banking applications.
- Remote Control Capabilities: The malware enables remote access to infected devices, allowing attackers to alter settings, initiate unauthorized transactions, and carry out account takeover operations without user knowledge.
- OTP Interception: ToxicPanda intercepts one-time passwords (OTPs) sent via SMS or authenticator apps, effectively bypassing two-factor authentication (2FA) and permitting fraudulent transactions.
- Obfuscation Techniques: The trojan employs advanced obfuscation techniques to evade detection, making it harder for security teams to analyze and neutralize the threat.
- Botnet Capabilities: ToxicPanda operates as part of a larger botnet, enabling the attacker to remotely manage and control a network of infected devices across multiple countries.
- Usage of Social Engineering Icons: The malware uses icons of well-known brands like Google Chrome and Visa, as well as decoy icons resembling popular apps, to deceive users and expand its reach.
Unique Operational Approach
Unlike its predecessors, ToxicPanda demonstrates a new level of adaptability. By avoiding the typical Automatic Transfer System (ATS) routines and using fewer obfuscation techniques, it appears that the malware developers focused more on adapting the trojan for new regulatory landscapes, including the strict compliance frameworks in Europe. This change in focus suggests a shift from targeting cryptocurrency wallets to mainstream banking institutions, which may have larger user bases and looser security defenses in certain markets.
Technical Analysis
“System configurations and app monitoring
Some interesting artefacts left on the APK are related to files called langs.json and XX.json (where XX is a language file, e.g., it.json, es.json, etc.).
Analyzing the langs.json JSON file, we could spot applications and classes associated with different Android systems or vendor-specific apps (e.g., Samsung, Xiaomi, Huawei, Oppo). These configurations focus on system-level management applications, backup or cleaning utilities as well as security permissions (all applications likely to interfere with or limit the purpose of the malware). Moreover, analyzing the whole structure is possible to catch quite interesting keys, such as pkg, text and action.
Those keywords are structured to contain specific information that will be parsed later on from the dedicated malware component. The figure above shows an example of “preventing” users from removing and generally accessing system settings, referring them back to the home screen.
In details:
- action: this field represents the actions that need to be performed.
- pkg: application interested in this action (e.g., com.miui.securitycenter, com.android.systemui, com.android.settings.intelligence, com.coloros.safecenter). It’s worth mentioning that those packages refers also to specific device manufacturers
- text: a Chinese string that will be used to match the XX.json file containing language translation for target devices.
Matching internal telemetries and the mechanism observed, it’s also possible to infer target countries that are the main focus of this threat. Limiting targets to Europe, it’s possible to observe Italy, Spain, Portugal, France, Germany, and the UK. However, considering the linguistic ties between Spanish and Portuguese and the LATAM region, we must recognize that this area could also be a significant target.
Collecting Phone Images
One notable characteristic of this malware, which aligns with practices commonly observed among Chinese-speaking developers, is its capability to access phone albums, convert images to BASE64, and transmit them back to the command and control (C2) server. While this technique is not entirely new— it has already been observed with malware like TrickMo — it represents a significant strategy for gathering potentially sensitive information (e.g., screenshots containing login credentials or virtual cards) from user devices.
Debug and Connection Info
In addition, it was possible to discover the following config.toml file inside the asset/ folder:
This file defines configuration settings for a communication or tunneling system, potentially facilitating connections between the malware’s infrastructure and remote devices or servers.
As the previous image shows, this file contains a hardcoded DNS service (114.114.114.114), a Chinese Free Public DNS service named 114DNS. While 114DNS is a legitimate public DNS, its use in malware or suspicious configurations can indicate a connection between TAs and China. Also, since this service is not commonly used outside the region, TAs still consider this region a testing ground for setting up their malware operations against new geographical regions.
Command-List
ToxicPanda significantly overlaps the command names utilised in the TgToxic malware family. Our analysis identified 61 commands common to both, with highly distinctive names that suggest their presence in both malware is unlikely to be coincidental. This overlap indicates that the same TA (or closed affiliates) could be behind both malware.
Conversely, ToxicPanda introduces 33 new commands, some lacking implementation. Additionally, several commands from TgToxic persist in this variant but remain unimplemented—particularly those associated with EasyClick, a framework enabling UI automation scripts via JavaScript. In TgToxic, this framework was exploited to hijack the Android device’s user interface (UI), allowing for actions such as monitoring user input and automating clicks and gestures. In contrast, ToxicPanda does not rely on this framework, though its associated commands remain in the code with blank implementations.
The complete list of commands can be found in Appendix A – Malware Commands.
C2 Communication
ToxicPanda contains three hard-coded domains designated for establishing a connection with the Command and Control (C2) server:
- dksu[.]top
- mixcom[.]one
- freebasic[.]cn
Unlike more sophisticated malware that may employ advanced techniques such as Domain Generation Algorithms (DGA) or dynamic configuration updates to determine C2 endpoints, this malware relies on static, pre-defined domains embedded directly within its code.
In the analyzed sample, domain selection is managed through a switch statement, which defaults to the first domain (dksu[.]top) by setting a specific switch variable to 1. This approach simplifies the initial C2 connection process but reduces the malware’s adaptability in cases where one or more of these domains are blocked. However, the C2 server can modify this behavior in real-time by leveraging the setCommandStyle command to change the C2 domain remotely, providing some degree of flexibility despite the hard-coded nature of the initial configuration. While the malware lacks sophisticated C2 domain generation or obfuscation techniques, combining hard-coded domains with selective remote configuration demonstrates a balance between simplicity and operational effectiveness, allowing the attackers to maintain control with minimal complexity.
The chosen domain is prefixed with the subdomain ctrl to establish communication, and an initial HTTP request is sent over HTTPS to initiate contact with the C2 server. This “handshake” request prompts a response containing a JSON payload, including connection parameters such as the port number. This port will subsequently be used for a persistent connection to the C2 server via the WebSocket protocol, which enables low-latency, bidirectional communication.
With the WebSocket protocol, the initial message exchange involves a “login” request from the infected device to the C2 server. This message includes a unique Device ID, allowing the C2 server to identify, register, and monitor each infected device within its botnet. Once the login is successful, the C2 server responds with specific commands based on the fraud campaign’s goals. These commands, outlined in prior sections, prompt the infected device to carry out malicious actions as instructed by the C2 server.
ToxicPanda employs AES encryption in ECB (Electronic Codebook) mode to secure network communication. The encryption key is hard-coded within the malware’s source code, derived from a specific byte array, and converted into a string format. In the sample under analysis, this hard-coded encryption key is 0623U2SKT3YY3QB9P.
A deep dive into ToxicPanda C2 panel
Our analysts successfully obtained visibility into the botnet’s command and control (C2) panel during our investigation into the ToxicPanda Android banking trojan campaign. This visibility was a significant breakthrough, providing crucial insights into the operations of the TAs behind this ongoing banking fraud campaign.
Understanding the inner workings of a botnet control panel is vital in the broader context of Threat Intelligence, especially within the realm of Android banking trojans. Visibility into these C2 infrastructures allows analysts to gather invaluable intelligence regarding the techniques and procedures employed by TAs. It also helps us understand the scope of the compromised devices and the specific actions that operators can perform on infected devices.
Access to such information enhances our ability to develop effective countermeasures, anticipate the attackers’ next steps, and ultimately disrupt their operations.
In this case, visibility into the botnet’s control panel confirmed that the ToxicPanda campaign was orchestrated by a Chinese-speaking group—a rare occurrence in Europe, where this campaign has primarily occurred. The insights gleaned from the panel have further deepened our understanding of this group’s operational capabilities and methods of conducting fraud.
The “Machine Management” interface is one of the most important sections within the C2 panel. As shown in the following image, this section provides the fraud operators with a detailed overview of each infected Android device connected to the botnet.
This interface is organized into several columns, each representing various aspects of the compromised devices, including:
- ID and Status: Displays each compromised device’s identification number and online/offline status.
- Brand and Model: Information about the device’s make and model helps operators understand its technical specifications.
- Geolocation: Shows the geographical region based on the device’s time zone, helping the operators narrow down the location of the infected devices.
- Version and Last Seen: This details the software version running on the device and when it was last active on the network.
TAs also have various controls, including updating or resetting scripts, clearing the cache, or removing devices from the botnet. These controls enable fraudsters to maintain or upgrade their malware on the devices, ensuring long-term persistence or adjusting their tactics to remain undetected by anti-fraud measures.
A key feature of this botnet is the ability to initiate On-Device Fraud (ODF), a method increasingly favored by banking fraudsters. The “Machine Management” interface allows operators to request real-time remote access to any connected Android device. Once connected, the operator can perform fraudulent transactions directly from the victim’s certified device.
Further analysis of the ToxicPanda botnet infrastructure granted our team access to comprehensive telemetry data, revealing the full extent of this campaign. This dataset allowed us to map out the geographic distribution of over 1,500 infected devices, highlighting the regions currently experiencing the heaviest concentration of infections.
The aggregated data, visualized in the map above, clearly illustrates a pronounced targeting pattern:
- Italy is the primary hotspot, accounting for 56.8% of the infected devices. This concentration suggests that Italy is a strategic focal point for the operators behind ToxicPanda.
- Portugal follows, with 18.7% of compromised devices, indicating a secondary target within Europe.
- Hong Kong is the third most affected region, at 4.6%, potentially reflecting either testing grounds or emerging targets within Asian markets.
- Spain and Peru are also featured on the list, though they have smaller shares of 3.9% and 3.4%, respectively. These numbers suggest that the operators are expanding their focus beyond primary European targets, hinting at a potential shift towards Latin America.
This geographical distribution underscores the significant reach and adaptability of the ToxicPanda botnet. By leveraging these insights, we better understand the botnet’s operational focus and can more effectively strategize region-specific defenses. The visibility into regional infection patterns also helps financial institutions and local authorities in the most impacted areas prioritize mitigation efforts and fortify their anti-fraud measures accordingly.
Moreover, our analysts can provide valuable insights into the geographic origin of TA connections and the services they rely on to access the C2 panel. The following image gives an aggregated, high-level view of these extracted telemetries, highlighting key operational patterns:
” Cleafy.
10 Tips to Defend Against Banking Trojans Like ToxicPanda
- Implement Robust Anti-Malware Solutions: Ensure devices have reputable anti-malware solutions that are updated regularly to detect emerging threats like ToxicPanda.
- Avoid Side-Loading Apps: Only download applications from official app stores, and avoid installing apps from unverified sources, as these are prime vectors for malware distribution.
- Monitor App Permissions: Regularly review and limit app permissions, especially accessibility features, which ToxicPanda exploits to gain control over the device.
- Enable Two-Factor Authentication: Although some malware can intercept OTPs, 2FA still adds an additional layer of protection, particularly for non-targeted attacks.
- Utilize Threat Intelligence Feeds: Subscribe to threat intelligence feeds that provide updates on new malware trends, helping security teams stay informed and prepared.
- Limit Device Admin Permissions: Avoid granting device admin permissions to apps unless necessary, as these permissions can grant malware deeper access to system settings.
- Educate Users on Social Engineering Tactics: Provide training on how to recognize and avoid phishing and other social engineering attacks, which are often used to spread malware.
- Use Secure Coding Practices in CI/CD: If developing Android apps, follow secure coding practices in CI/CD pipelines to prevent trojans from entering your software supply chain.
- Implement Application Control Policies: Configure policies to prevent the installation of unauthorized applications, reducing the chances of malware infection.
- Regularly Update Firmware and Security Patches: Ensure that devices are updated with the latest security patches, as unpatched vulnerabilities can provide easy access for trojans.
Conclusion
ToxicPanda marks a concerning shift in cybercriminal tactics, expanding traditional Asian malware operations into Western banking systems. By exploiting device accessibility features and employing social engineering techniques, it has managed to compromise thousands of devices across Europe and Latin America. For cybersecurity professionals, this malware highlights the importance of cross-regional threat awareness and the need for proactive measures to safeguard user devices.
As cyber threats continue to evolve, it is essential for organizations and individuals alike to remain vigilant, prioritize device security, and embrace a layered approach to protection. With a concerted effort to implement robust security practices and foster awareness, the risks posed by sophisticated malware like ToxicPanda can be effectively managed.
Want to stay on top of cybersecurity news? Follow us on Facebook, X (Twitter), Instagram, and LinkedIn for the latest threats, insights, and updates!
