Related Families: TgToxic
Verticals Targeted: Financial
Executive Summary
ToxicPanda is an Android banking trojan that was first seen in the wild in October 2024. It allows threat actors to steal a victim’s money via account takeover (ATO) using On-Device Fraud (ODF).
Key Takeaways
- ToxicPanda is an Android banking trojan that was first seen in the wild in October 2024.
- ToxicPanda steals a victim’s money via account takeover (ATO) using On-Device Fraud (ODF).
- ToxicPanda was observed targeting Android users of at least 16 banking institutions in Italy, Spain, Portugal, and Latin America.
- PolySwarm analysts consider ToxicPanda to be an emerging threat.
What is ToxicPanda?
ToxicPanda is an Android banking trojan that was first seen in the wild in October 2024. ToxicPanda was observed targeting Android users of at least 16 banking institutions in Italy, Spain, Portugal, and Latin America. ToxicPanda steals a victim’s money via account takeover (ATO) using On-Device Fraud (ODF). Cleafy reported on ToxicPanda.
ToxicPanda is used by threat actors to steal a victim’s money. ToxicPanda uses ODF for account takeover. It is capable of bypassing a financial institution's security measures, such as user identity verification and behavioral detection techniques. ToxicPanda has been successful in targeting users of 16 financial institutions. So far, it has infected over 1500 devices, primarily in Europe and Latin America. ToxicPanda’s infection vector is sideloading via social engineering. Cleafy considers ToxicPanda to be a modern mobile malware RAT due to its ATO and manual ODF capabilities. Other Android malware in this category includes Medusa, Copybara, and BingoMod.
ToxicPanda utilizes over 61 commands that overlap with TgToxic banking trojan as well as 33 new commands. Its key capabilities include accessibility service abuse, remote control of the victim’s device, interception of one time passwords (OTP) from SMS and authenticator apps, and use of obfuscation techniques to help thwart analysis. ToxicPanda is also capable of accessing photo albums, converting the images to BASE64, and exfiltrating them to the C2. ToxicPanda uses one of three hardcoded domains for C2 and uses AES in ECB mode for C2 communication.
According to Cleafy, ToxicPanda still appears to be in the early stages of development. For this reason, PolySwarm analysts consider ToxicPanda to be an emerging threat. Cleafy researchers noted ToxicPanda appears to be associated with the TgToxic banking trojan, which was previously observed targeting Android users in Southeast Asia. ToxicPanda was originally mistaken for TgToxic until further analysis discovered a considerable divergence between the source code of each family. The threat actors behind both TgToxic and ToxicPanda are thought to be the same group and are likely Chinese speakers.
IOCs
PolySwarm has multiple samples of ToxicPanda.
11d926b4e7068914d27200e1aebcbc5e255088ae588a50a1f8f0520771bb6b15
158bfa63e745e4d5b05f2c63fca5a002c3080843d0b814b6497b150e4bb5f43e
159a7af39c0d6c2334df77088fe2d545a96d591dbf2b85c373a4a45377f492c4
520d7902587dfc26a058e1ef5a7e6b9946bb668d03a41ee153ea54492e77f660
6027c76a1390e5cba2d742fc655960c0e5df648f292f3d20fa624ad0c0a23bed
6ceaf8a1dadaf56801eef8aba7c50941099b7abf9f34dac1d7f844b7a03d2dc2
8a9c73e1f8e4c3ceae151f4d2839978a8c4a53c948a64761d9a6d27e008ec997
df02357fcd4e55b9d48bbac007513f5929204c899a752cf29bc6d243840d211e
You can use the following CLI command to search for all ToxicPanda samples in our portal:
$ polyswarm link list -f ToxicPanda
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
