Trojan
ToxicPanda
Banking
Explore ToxicPanda, a new banking trojan spreading from Asia to Europe and LATAM...
Threat research team identified a new Android malware strain, initially thought to be TgToxic but exhibiting key divergences from its predecessor, leading us to classify it as "ToxicPanda." ToxicPanda is a banking Trojan leveraging Remote Access Trojan (RAT) techniques to initiate fraudulent money transfers through account takeover (ATO), exploiting On-Device Fraud (ODF) techniques. The malware bypasses banking countermeasures for identity verification and behavioral detection by targeting devices directly.
Our analysis suggests that ToxicPanda has not yet reached in its advanced stages, as evidenced by incomplete command implementations and placeholder code. Specifically, several commands, such as those related to advanced ATS routines and EasyClick automation, remain unimplemented or serve only as placeholders.
This limits the malware's ability to fully automate fraudulent actions, reducing its current threat level but indicating potential for future development. The incomplete commands suggest that the developers may still be testing capabilities or lack the expertise to deploy more sophisticated functionalities effectively.
Despite this, it has been remarkably effective, leading to over 1,500 infections across Europe and Latin America, primarily targeting banking institutions in Italy, Spain, Portugal, and Peru. Unlike typical campaigns from Southeast Asian TAs, ToxicPanda appears to reflect a shift or expansion of Chinese-speaking threat actors into European and Latin American markets, marking an unusual and concerning development in their operational focus.
This geographical expansion is significant because it suggests a diversification of targets, potentially driven by an interest in new financial markets, broader revenue streams, or a strategic response to increased security measures in their traditional regions. The shift also indicates that these actors are becoming more adaptable and willing to overcome language, regulatory, and logistical barriers to target previously unexplored regions, which could indicate an escalation in their overall capabilities and threat sophistication.
***ToxicPanda’s icons as described by [Cleafy](https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam)***
***Key campaign highlights include:***
- **Malware Type**: Android Banking Trojan
- **Target OS**: Android Devices
- **Target Regions**: Europe (Italy, Portugal, Spain, France) and Latin America (Perú)
- **Infection Vector**: Side-loading via Social Engineering
- **Fraud Techniques**: Account Takeover, On-Device Fraud, OTP Interception
- **TTP Summary**: RAT capabilities, Accessibility Service abuse, Remote Control
The findings suggest a strategic attempt by the TAs to expand their operations from primarily regional targeting in Asia to broader international fraud schemes, using rudimentary but highly adaptive malware.
## Technical Analysis
### Overview of ToxicPanda's Capabilities
From a technical perspective, ToxicPanda shares core RAT capabilities similar to other banking trojans like [Medusa](https://www.secureblink.com/cyber-security-news/medusa-returns-new-malware-variant-threatens-android-users-worldwide) and Copybara, with an emphasis on ODF. The malware exploits Android's Accessibility Service, allowing TAs to remotely control infected devices, capture OTPs, manipulate user inputs, and bypass 2FA protection measures.
ToxicPanda's reduced obfuscation and the absence of more advanced Automatic Transfer System (ATS) routines compared to its predecessor TgToxic imply a downgrade in technical complexity, perhaps reflecting the developers' relative inexperience with navigating foreign banking systems and stricter financial regulations, such as the European Union's PSD2 (Payment Services Directive) and GDPR (General Data Protection Regulation).
These regulations impose stringent requirements for authentication, data privacy, and financial transactions, making it more challenging for malware to effectively operate without sophisticated adaptations. Additionally, differences in financial system architectures and anti-fraud mechanisms across regions further complicate the development of advanced features like ATS, which require a deeper understanding of localized banking processes.
### Infection Chain and Execution Flow
#### 1. Initial Infection
ToxicPanda spreads primarily through side-loading mechanisms, often disguised as benign applications or legitimate software. Social engineering plays a key role in encouraging users to install the malware, using techniques such as phishing campaigns that trick users into downloading fake apps through links, impersonation of legitimate apps on third-party app stores, and even fake pop-up ads claiming urgent updates. These apps often masquerade as popular utilities, financial applications, or security tools, which increases the likelihood of users trusting and installing them.
#### 2. Abuse of Android Accessibility Services
The core of ToxicPanda's malicious activities involves abusing Android's Accessibility Services to achieve elevated permissions. These permissions are often obtained by manipulating user consent through deceptive prompts or misleading UI elements, such as pretending to be a legitimate system update or security feature. This tactic tricks users into granting Accessibility Service permissions, which allows ToxicPanda to execute its malicious activities seamlessly. ToxicPanda is configured to:
- **Intercept User Inputs**: By manipulating the Accessibility Service, ToxicPanda can log user inputs, capture credentials, and trigger actions remotely.
- **Initiate Fraudulent Transactions**: The malware automates interactions with banking applications, enabling direct account takeovers.
- **Localized UI Manipulation for Permissions**: ToxicPanda uses language-specific strings to manipulate UI elements, such as forcing clicks on buttons like "Home" or searching for system text like "Force Stop" in localized languages. This level of adaptation makes it highly effective in deceiving users across different regions.
- **Localized Login Interfaces**: ToxicPanda further enhances social engineering efforts through localized login interfaces, as seen in screenshots of authorization systems in Chinese. These localized interfaces are designed to mimic legitimate screens, building trust among targeted users, particularly in Chinese-speaking regions, thus increasing the likelihood of successful phishing attempts.
***ToxicPanda forcing the click of the "Home" button and searching for specific UI texts such as "Force Stop" in Chinese to manipulate system interactions (Source: Cleafy)***
#### 3. OTP Interception and On-Device Fraud
ToxicPanda can intercept OTPs sent via SMS or authenticator apps, allowing it to bypass banking two-factor authentication mechanisms. To avoid detection during OTP interception, the malware uses techniques such as mimicking legitimate system notifications, delaying interception to blend in with normal system processes, and utilizing accessibility service permissions to silently read and forward OTP messages without alerting the user. This capability facilitates On-Device Fraud, enabling attackers to initiate, authorize, and verify transactions without direct user interaction.
### Botnet Infrastructure and C2 Communication
Our analysis disclosed a non-dormant botnet managed through a centralized Command and Control (C2) infrastructure, with over 1,500 infected devices. The botnet is controlled using three hard-coded domains: **dksu[.]top**, **mixcom[.]one**, and **freebasic[.]cn**. To avoid detection or mitigate domain takedown, attackers might employ additional fallback C2 servers or use domain generation algorithms (DGAs). DGAs allow the botnet to generate new domains dynamically, making it harder for defenders to block C2 communication completely, while fallback servers ensure continuity even if primary domains are taken down.
These strategies illustrate how the botnet infrastructure may evolve to maintain resilience against countermeasures. These particular domains may have been chosen due to their relatively obscure nature, which helps avoid early detection by security solutions. Additionally, the use of a Chinese public DNS service and domains ending in '.cn' suggests a link to the threat actors' geographical origin, potentially pointing towards Chinese infrastructure or operational bases.
***Botnet Management Panel showcasing device status, operational controls, and fraud management capabilities (Source: Cleafy)***
This choice of domains reflects a strategic approach by the TAs to maintain low visibility while retaining control over infected devices. ToxicPanda employs a basic mechanism to select a C2 domain through a switch statement, defaulting to a primary server, which allows real-time adjustments using a command named `setCommandStyle`. In practice, it is unclear how frequently the C2 domain is adjusted, but evidence suggests that this adaptation mechanism has been observed in thwarting defensive measures by rapidly switching domains when disruptions are detected, thereby maintaining consistent botnet control.
#### C2 Communication Flow
- **Initial Contact**: A switch-based domain selection triggers initial contact with the C2 server using HTTPS, followed by a persistent connection through WebSockets for bidirectional, low-latency communication.
- **Encryption**: ToxicPanda uses AES encryption in ECB mode to secure its communications. The encryption key, hard-coded in the malware, ensures data transmitted between infected devices and the C2 remains obfuscated from standard network monitoring tools. The use of ECB mode, while simple to implement, presents vulnerabilities as it is susceptible to pattern detection, which defenders could potentially exploit for better threat analysis.
Figure 8 shows an example of the WebSocket traffic initiated between an infected device and the C2 server, where the server issues commands for fraudulent activities. This low-latency, persistent communication approach bypasses traditional HTTP monitoring and makes detection harder.
### Botnet Management Panel
Our researchers gained visibility into ToxicPanda's C2 management panel by leveraging a combination of network traffic analysis and exploiting weaknesses in the malware's C2 communication protocols, offering rare insights into the operator's capabilities.
This access was achieved through detailed reverse engineering of the malware, which allowed our team to extract hard-coded credentials and identify vulnerabilities in the panel's authentication process.
The interface includes sections for _"Machine Management,"_ where TAs can remotely view device details, issue commands, and initiate On-Device Fraud activities. Key features observed include:
- **Device Overview**: Columns listing device brand, model, geolocation, software version, and online/offline status.
- **Operational Controls**: Operators can upgrade, reset, or remove malware from devices and manage fraudulent transactions in real-time.
- **Centralized Fraud Management**: The admin panel also offers a quick view of device status, the ability to reset scripts, turn off cameras, and even initiate recording from infected devices. This level of control indicates an expanded toolkit that goes beyond just financial fraud, allowing operators to spy on victims and potentially collect sensitive personal data for further exploitation.
The panel confirmed the suspected Chinese-speaking origin of the TAs, who appear to be managing this campaign centrally, with a distinct focus on European banking customers and emerging Latin American targets.
### Expanded Data Theft: Image Collection and Transmission
ToxicPanda also collects device images from photo albums, converts them into BASE64 format, and transmits them to the C2 server. This adds another dimension to its data collection methods, targeting sensitive personal information beyond financial credentials. This capability broadens the scope of the data that TAs can leverage for further exploitation or monetization, highlighting the expansive nature of the threat.
### Fake App Store Listings as Infection Vectors
The malware has also been observed using fake app listings, such as those mimicking legitimate applications like "99 Spedmart," "Amore Live," and "Honey Peach." These fake apps are distributed through compromised app stores or phishing links and often carry high user ratings and positive reviews to lure potential victims. The familiarity and popularity of these apps increase their credibility, making it more likely for users to install them without suspicion. These strategies contribute significantly to the high infection rate of ToxicPanda.
## Indicators of Compromise (IoCs)
### Hashes of Known ToxicPanda Samples:
| Hash | App Name |
|-----------------------------------------|------------|
| 2f5c4325f77280b2b58be981f9051f04 | Chrome |
| 6e0a7e94ce0a1fe70d43fe727dc41061 | dbltest |
| f5c44a7044572e39e8fb9fa8e1780924 | Chrome |
### C2 Domains:
- **dksu[.]top**
- **mixcom[.]one**
- **freebasic[.]cn**
## Conclusion
ToxicPanda represents an evolving threat in the Android banking Trojan landscape, especially as Chinese-speaking TAs expand their operations into Europe and Latin America. The malware's less sophisticated technical foundation—including unfinished commands and simplified obfuscation—contrasts sharply with its rapid operational success, highlighting a growing risk that threat actors can achieve significant impact without highly advanced techniques.
The campaign underscores the urgent need for proactive detection mechanisms. Organizations can bolster defenses by implementing user education initiatives to raise awareness of phishing and side-loading risks, deploying Mobile Device Management (MDM) solutions to enforce security policies, and mandating stricter app permissions policies to minimize the risk of malware gaining elevated privileges. These measures, combined with existing detection tools, can help prevent infections and mitigate damage.
Specifically, employing advanced behavioral analytics tools, implementing machine learning-based anomaly detection, and integrating network traffic analysis tools like Zeek or Suricata could significantly enhance the ability to detect such malware. Additionally, leveraging mobile threat defense solutions and endpoint detection and response (EDR) systems could help in identifying early indicators of compromise and mitigating risks before they escalate. Current industry-standard antivirus solutions have struggled with this relatively basic threat, pointing to gaps in real-time detection capabilities. Enhanced early warning systems are crucial to mitigate such threats before they materialize at scale.
To further bolster defenses, it is recommended to implement specific mitigations for each phase of the malware lifecycle, develop detailed behavioral analysis mechanisms, and enhance network traffic inspection capabilities to effectively detect C2 communication using WebSockets. Security teams should focus on incorporating indicators of compromise into automated threat detection tools and regularly update threat intelligence feeds to reflect the latest observed domains and behaviors. Regional banking institutions in Europe and LATAM should especially prioritize reviewing their mobile security policies and invest in educational programs aimed at reducing the risk of social engineering attacks.
The expansion of traditionally regional threat actors into new territories requires a reassessment of regional security postures, particularly concerning banking institutions and their mobile security strategies. ToxicPanda’s reliance on familiar Android exploits and simple RAT tools shows that even known threats, when applied in new operational contexts, can pose serious challenges for financial institutions worldwide.
### Future Threat Projections
Considering the incomplete capabilities and ongoing adaptations of ToxicPanda, we can project a potential evolution towards more sophisticated RAT capabilities, advanced ATS implementations, and increased use of domain generation algorithms for C2 infrastructure. The rapid domain switching mechanism, while currently simplistic, may evolve into more complex fallback systems or DGAs, providing resilience against domain takedowns.
Financial institutions should prepare for enhanced ATS capabilities, potentially capable of executing more precise and automated account takeovers, and expect expanded efforts in social engineering campaigns, including more sophisticated phishing lures tailored to local languages and banking interfaces.
