2024-11-04 Cleafy: ToxicPanda: a new banking trojan from Asia hit Europe and LATAM
ToxicPanda is an Android banking trojan targeting Europe and Latin America, identified in October 2024 and derived from the TgToxic family. Unlike TgToxic, ToxicPanda lacks advanced obfuscation and an Automatic Transfer System (ATS), relying instead on Android’s Accessibility Service to perform On-Device Fraud (ODF) by simulating legitimate user interactions. This allows it to take over accounts (ATO) on banking apps, bypassing anti-fraud measures and intercepting One-Time Passwords (OTPs) via SMS and authenticator apps.
The malware’s Command and Control (C2) infrastructure includes three hard-coded domains accessed via HTTPS with AES ECB encryption, establishing a persistent WebSocket session for real-time device control. ToxicPanda’s command set includes 61 commands inherited from TgToxic and 33 unique commands, some of which are unimplemented, suggesting early-stage development. Key commands allow for screen capture, privilege escalation, and blocking access to security apps on specific Android devices (e.g., Samsung, Xiaomi).
Access to ToxicPanda’s C2 panel revealed its botnet management capabilities, tracking over 1500 infected devices primarily in Italy and Portugal. Operators control infected devices in real-time, issuing commands for fraud operations, while the malware collects sensitive data like screenshots for further exploitation. Despite its straightforward design, ToxicPanda’s use of Accessibility Service abuse and device control positions it as a serious threat to financial institutions, leveraging scalable, device-level attacks for high-impact fraud.
