Toxicpanda

Malware updated a month ago (2024-11-29T14:53:34.436Z)
Download STIX
Preview STIX
ToxicPanda, a new strain of malware primarily targeting retail banking on Android devices, was identified in late October 2024. Initially suspected to be part of the TgToxic family due to similar bot commands, an in-depth analysis by Cleafy’s Threat Intelligence team revealed significant code differences, leading to its reclassification as a distinct threat. Unlike TgToxic, ToxicPanda lacks certain advanced features such as the Automatic Transfer System (ATS), indicating a reduction in technical sophistication. However, this malware has enabled cybercriminals to control infected devices remotely, intercept one-time passwords, and bypass two-factor authentication measures, exploiting Android’s accessibility services to gain elevated permissions. The Chinese-speaking threat actors behind ToxicPanda deploy the malware to take over targeted devices and initiate scam money transfers, circumventing banks' identity and authentication protections. The malware has been found on at least 1,500 individual devices across Italy, Portugal, Spain, and Latin America, actively trying to steal money from at least 16 different financial institutions. Italy is the main target, with 56.8% of infections. ToxicPanda uses three hard-coded domains—dksu[.]top, mixcom[.]one, and freebasic[.]cn—to connect with its Command and Control server. Despite its relative technical simplicity, contemporary antivirus solutions have struggled to detect ToxicPanda, raising questions about the effectiveness of current defense strategies against such threats. The report concludes that the lack of proactive, real-time detection systems is a primary issue. Furthermore, it appears that the same threat actors or closely affiliated groups could be behind both ToxicPanda and TgToxic, given the overlap in command names used in both malwares. Notably, ToxicPanda can also access phone albums, convert images to BASE64, and transmit them back to the Command and Control server.
Description last updated: 2024-11-08T00:05:55.532Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Bot
Antivirus
Banking
Android
Trojan
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Toxicpanda Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more