ToxicPanda, a new strain of malware primarily targeting retail banking on Android devices, was identified in late October 2024. Initially suspected to be part of the TgToxic family due to similar bot commands, an in-depth analysis by Cleafy’s Threat Intelligence team revealed significant code differences, leading to its reclassification as a distinct threat. Unlike TgToxic, ToxicPanda lacks certain advanced features such as the Automatic Transfer System (ATS), indicating a reduction in technical sophistication. However, this malware has enabled cybercriminals to control infected devices remotely, intercept one-time passwords, and bypass two-factor authentication measures, exploiting Android’s accessibility services to gain elevated permissions.
The Chinese-speaking threat actors behind ToxicPanda deploy the malware to take over targeted devices and initiate scam money transfers, circumventing banks' identity and authentication protections. The malware has been found on at least 1,500 individual devices across Italy, Portugal, Spain, and Latin America, actively trying to steal money from at least 16 different financial institutions. Italy is the main target, with 56.8% of infections. ToxicPanda uses three hard-coded domains—dksu[.]top, mixcom[.]one, and freebasic[.]cn—to connect with its Command and Control server.
Despite its relative technical simplicity, contemporary antivirus solutions have struggled to detect ToxicPanda, raising questions about the effectiveness of current defense strategies against such threats. The report concludes that the lack of proactive, real-time detection systems is a primary issue. Furthermore, it appears that the same threat actors or closely affiliated groups could be behind both ToxicPanda and TgToxic, given the overlap in command names used in both malwares. Notably, ToxicPanda can also access phone albums, convert images to BASE64, and transmit them back to the Command and Control server.
Description last updated: 2024-11-08T00:05:55.532Z