Recent research has identified a new Android malware strain, initially mistaken for TgToxic, now called ToxicPanda.
Although it shares some bot command similarities, ToxicPanda’s code diverges significantly, lacking key TgToxic features and including placeholder commands with no functionality.
ToxicPanda Malware
The malware uses remote access capabilities to enable account takeovers through on-device fraud (ODF), allowing attackers to evade detection and target a wide range of banking customers, even with simpler methods.
The ToxicPanda botnet, likely run by Chinese-speaking threat actors, has infected over 1,500 Android devices, mainly in Italy, Portugal, Spain, France, and Peru, suggesting a possible change in their targeting strategy.
The banking trojan sample has fewer technical capabilities than its predecessor, TgToxic, likely due to developers’ inexperience with new targets and stricter regulations. This has led to simpler obfuscation and the removal of advanced features like ATS.
A sophisticated Android banking trojan uses accessibility services to gain elevated privileges, control infected devices, intercept OTPs, and evade detection through obfuscation.
This allows attackers to carry out on-device fraud and steal financial data. The APK contains configuration files to target specific Android systems and vendors, blocking user access to settings and security permissions by interfering with system-level apps.
During execution, the trojan parses the “langs.json” file, matching target devices through language associations (e.g., Spanish and LATAM), potentially revealing target countries.
The malware accesses phone albums, converts images to BASE64, and sends them to a C2 server, stealing sensitive data like login credentials and virtual card details.
Its use of a Chinese public DNS service (114DNS) hints at ties to Chinese threat actors and suggests this region as a testing ground.
ToxicPanda and TgToxic share 61 unique commands, suggesting a link between their developers. ToxicPanda adds new commands and lacks some of TgToxic’s, especially in UI automation, but the command overlap is notable.
According to Cleafy, ToxicPanda uses three fixed domains (dksu[.]top, mixcom[.]one, freebasic[.]cn) to connect with its C2 server, lacking advanced techniques like DGAs or dynamic C2 updates. It initially connects to a hardcoded C2 domain, which can be changed remotely via command. After the first HTTPS connection, a JSON response establishes a WebSocket connection for further communication.
The ToxicPanda C2 panel investigation has shed light on threat actor tactics and compromised devices.
Through its “Machine Management” interface, operators manage the botnet, target specific devices, and perform remote control, script updates, and on-device fraud (ODF) attacks. While primarily focused on Italian devices, the botnet also shows activity in Portugal, Hong Kong, Spain, and Peru, indicating an expanding reach.
Leave A Comment