Keypoints
- New Android banking trojan family tracked as ToxicPanda, initially linked to TgToxic.
- Primary objective is Account Takeover (ATO) through On-Device Fraud (ODF) against retail banking customers.
- Over 1,500 infected Android devices identified, with Italy accounting for the largest share.
- Malware leverages Accessibility Service abuse, remote control, and OTP interception to bypass 2FA and anti-fraud controls.
- Operators appear to be Chinese-speaking, indicating an unusual shift toward Europe and LATAM targets.
- Command-and-control relies on three hard-coded domains (dksu[.]top, mixcom[.]one, freebasic[.]cn) and WebSocket communications.
- Code indicates early-stage development: many commands are present but not implemented, and debugging/dead code is visible.
MITRE Techniques
- [T1071] Command and Control – Used to maintain communication with compromised devices via hard-coded C2 domains and WebSocket; (‘Utilizes multiple command and control domains to maintain communication with compromised systems.’)
- [T1087] Account Takeover – Employed to exploit user credentials and perform fraudulent transactions from infected devices; (‘Exploits user credentials to gain unauthorized access to banking accounts.’)
- [T1219] Remote Access Software – Provides remote control of infected Android devices to execute On-Device Fraud and real-time actions; (‘Enables remote control of infected devices for malicious activities.’)
- [T1041] Exfiltration Over C2 Channel – Sensitive data (images, credentials, SMS/OTP) are collected and sent back to the C2 server; (‘Collects sensitive information, such as images and credentials, from infected devices.’)
Indicators of Compromise
- [File hashes] ToxicPanda APK samples – 2f5c4325f77280b2b58be981f9051f04, 6e0a7e94ce0a1fe70d43fe727dc41061, and 3 more hashes.
- [C2 domains] Command-and-control endpoints – dksu[.]top, mixcom[.]one, and 1 more domain (freebasic[.]cn).
- [Distribution/landing domains] Malicious landing or decoy pages used for distribution – fgta[.]lol (99 Spedmart), dpds[.]lol (Chrome), and other campaign domains (see full list in report).
- [Network/DNS] Hard-coded DNS service in config – 114.114.114.114 (114DNS) used in config.toml as a network artifact.
- [Encryption key] Hard-coded AES key found in samples – 0623U2SKT3YY3QB9P (used for network payload encryption).
————
Cleafy’s researchers identified ToxicPanda in October 2024 as a new Android banking trojan that borrows structural elements from TgToxic but diverges enough to be tracked separately. The campaign focuses on On-Device Fraud (ODF), combining Accessibility Service abuse and remote-control capabilities to intercept OTPs and perform fraudulent transfers directly from victims’ devices. Despite limited implementation of many commands, the operators have built a functioning botnet with WebSocket-based C2 communication and static domains that allow remote reconfiguration.
Telemetry from the C2 panel revealed more than 1,500 infected devices across Europe and LATAM, with Italy representing the primary hotspot. The samples include debugging artifacts, language configuration files, and a hard-coded AES key, all suggesting an early development stage or ongoing refactoring. Operators appear to be Chinese-speaking, an uncommon origin for campaigns targeting European banks, which hints at a possible expansion of their operational scope.
Operationally, ToxicPanda’s simplicity is balanced by practical features: persistent remote access, image and SMS collection, and a machine-management dashboard that lets operators view device metadata, geolocation, and initiate ODF sessions. While the malware isn’t highly sophisticated, its manual fraud workflow and deployment against retail banking users make it an effective threat that financial institutions and mobile defenders should prioritize monitoring and mitigation for.
————
Read more: https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam