ToxicPanda Banking Malware Attacking Banking Users To Steal Logins

Recent research has uncovered a new strain of malware developed for Android devices, initially misidentified as TgToxic. 

Despite sharing some bot command similarities, this malware, now dubbed ToxicPanda, exhibits significant code divergence from its original source.

It lacks key TgToxic capabilities and possesses placeholder commands without functional implementation. 

The malware leverages Remote Access capabilities to enable Account Takeover (ATO) via On Device Fraud (ODF), allowing threat actors to bypass detection and target a wide range of banking customers, even with less sophisticated techniques.

ToxicPanda botnet, likely operated by Chinese-speaking threat actors, infected over 1,500 Android devices, primarily in Italy, Portugal, Spain, France, and Peru, indicating a potential shift in their targeting strategy.

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

The banking trojan sample shows reduced technical capabilities compared to its ancestor, TGToxic, likely due to the developers’ inexperience with new targets and stricter regulations, leading to simplified obfuscation and the removal of advanced features like ATS.

A sophisticated Android banking trojan leverages accessibility services to gain elevated privileges, remotely control infected devices, intercept OTPs, and employ obfuscation techniques to evade detection.

This enables attackers to execute on-device fraud and steal sensitive financial information.

The APK contains configuration files targeting specific Android systems and vendors. It aims to block user interactions with system settings and security permissions by identifying and interfering with system-level applications and utilities.

The “langs.json” file is parsed during execution to match target devices based on a Chinese string and application package, potentially revealing target countries through language associations (e.g., Spanish and LATAM). 

The malware accesses phone albums, converts images to BASE64, and sends them to a C2 server, stealing sensitive information like login credentials and virtual card details.

Its configuration file reveals the use of a Chinese public DNS service (114DNS) for communication, which suggests potential ties to Chinese threat actors and indicates that this region might be a testing ground for the malware’s operations. 

ToxicPanda and TgToxic share 61 unique commands, suggesting a potential link between their developers. While ToxicPanda introduces new commands and lacks implementation for some TgToxic commands, particularly those related to UI automation, the overlap in command names is highly suspicious.

According to Cleafy, ToxicPanda malware uses three fixed domains (dksu[.]top, mixcom[.]one, freebasic[.]cn) to connect with its C2 server, lacking the sophistication of dynamic C2 endpoint determination techniques like DGAs or configuration updates.

It initially connects to a hardcoded C2 domain, where the C2 server can remotely change this domain via a command.

After the initial HTTPS connection, a JSON response establishes a WebSocket connection for further communication. 

While the ToxicPanda C2 panel investigation provided crucial insights into TA operations, including techniques, compromised devices, and actions on infected devices. 

The ToxicPanda C2 panel’s “Machine Management” interface provides detailed information about each compromised Android device, enabling fraud operators to efficiently manage the botnet and target specific devices for fraudulent activities.

It is controlled through a web-based interface and enables remote device control, script updates, and ODF attacks by predominantly targeting Italian devices.

It has a significant presence in Portugal, Hong Kong, Spain, and Peru, suggesting a widening geographic scope.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!