ToxicPanda, a newly identified Android banking Trojan, is targeting users in Europe and Latin America by leveraging On-Device Fraud (ODF) techniques to bypass bank security measures and initiate unauthorized money transfers.
The malware’s code suggests it’s in early development, but it’s already compromised over 1500 devices across multiple countries. The threat actors behind ToxicPanda, likely Chinese speakers, are expanding their operations beyond their usual targets, signaling a potential shift in their strategic focus.
It exhibits reduced technical sophistication compared to its predecessor, TGToxic, which leverages Android’s accessibility services to gain elevated permissions, intercept OTPs, and remotely control infected devices.
It employs obfuscation techniques to evade detection. However, its primary focus seems to be on operational aspects, such as C2 infrastructure management, to overcome challenges posed by linguistic barriers, regulatory hurdles, and advanced anti-fraud measures in targeted regions.
Researchers identified an APK containing configuration files (langs.json and language-specific XX.json) targeting system apps and vendor-specific utilities (e.g., security, backup) on Android devices.
By parsing “pkg” and “text” keys in langs.json, the malware likely blocks user interaction with these apps (e.g., preventing access to settings), which suggests that the malware targets specific countries (Italy, Spain, etc.) based on language files and may extend to regions using similar languages (e.g., LATAM for Spanish/Portuguese).
The malware collects images from the device’s album, converts them to BASE64 format, and sends them to a C2 server, which poses a significant risk of data exfiltration, including sensitive information like login credentials.
Its configuration file reveals a hardcoded DNS service, 114DNS, a Chinese public DNS service, suggesting a potential link to Chinese-speaking threat actors, which could indicate a testing ground for targeting new geographical regions.
ToxicPanda malware shares 61 commands with the TgToxic malware family, suggesting a potential link between the two. While ToxicPanda introduces 33 new commands, some of TgToxic’s commands, including those for the EasyClick framework, remain present but unimplemented.
According to Cleafy, it also leverages hardcoded domains for C2 communication, with a default domain and the ability to switch domains remotely, establishing an initial HTTPS connection, followed by a WebSocket connection for persistent, bidirectional communication.
The malware uses a hardcoded AES key to encrypt network traffic, ensuring secure communication between infected devices and the C2 server. The ToxicPanda Android banking trojan C2 panel provides detailed insights into the botnet’s operations and its targeting of devices.
The panel allows operators to manage infected devices, initiate on-device fraud, and track their geographic distribution, while the analysis of the panel revealed that Italy is the primary target, followed by Portugal and Hong Kong.
The data also highlights the use of Chinese-speaking operators and their reliance on specific services to access the C2 panel, which enable security analysts to develop effective countermeasures and disrupt the botnet’s activities.
 techniques.){kind=link}