ToxicPanda: A Financially-Motivated Android Malware Campaign

Published Date: July 30, 2025
Category: ShadowOpsIntel
Share:

ToxicPanda is a rapidly evolving Android banking trojan that targets financial apps to steal banking credentials, hijack sessions, and conduct unauthorized transactions. Originally active in Southeast Asia, its campaigns expanded across Europe, especially Portugal and Spain in 2025. The malware leverages advanced techniques like phishing overlays, accessibility abuse, anti-emulation, and Domain Generation Algorithms (DGAs) for resilience and stealth.

Severity Level: High

Threat Details

  • Threat Family: Variant of TgToxic Android banking trojan
  • Targeted Platforms: Android OS (all versions, especially < Android 14)
  • Primary Objective: Credential harvesting, unauthorized banking transactions
  • Regions Targeted: Southeast Asia and Europe
  • Industries Affected: Financial Services, Fintech, Digital Wallet providers
  • Delivery Vector: Malicious APK files named dropper.apk and no_dropper.apk distributed via fake update websites or compromised domains.
  • Delivery Infrastructure: Uses TAG-124 Traffic Distribution System (TDS) to redirect victims to malicious hosting pages.
  • Deception Methods: Fake Google Chrome update pages, ReCAPTCHA gates (ClickFix), and fake Play Store URLs.
  • Infrastructure: Domain Generation Algorithm (DGA), Cloudflare-based fallback, WebSocket C2
  • TTPs: Overlay attacks, Accessibility abuse, SMS/OTP interception, persistence hooks
  • Infection Count (2025): ~4,500 devices (3,000 in Portugal, 1,000 in Spain)
  • Notable Devices Affected: Samsung S8-S9, S23, Xiaomi Redmi, Oppo A series

Key Threat Characteristics

    • Credential Theft via Overlays: Custom phishing overlays for 39+ banking apps, mimicking legitimate urls.
    • Abuse of Accessibility Services: Grants remote UI manipulation, screen reading, and click simulation.
    • C2 Resilience with DGA: One domain per month, appending TLDs from a sequential list (e.g., .com, .net).
    • Encryption Used:
      • AES/ECB/PKCS5Padding with hardcoded key: 0623U25KTT3YO8P9
      • DES/CBC/PKCS5Padding for fallback domain config
    • Infection Persistence: Blocks uninstallation via dynamic broadcast receivers and Accessibility lockout.

    Recommendations

    1. Use MDM/UEM tools to prevent sideloading (install from unknown sources). Block installation of unauthorized APKs.
    2. Disable or restrict Accessibility Services unless explicitly needed. Monitor and alert for abuse of BIND_ACCESSIBILITY_SERVICE.
    3. Flag apps requesting dangerous permissions: READ_SMS, SYSTEM_ALERT_WINDOW, QUERY_ALL_PACKAGES, CALL_PHONE.
    4. Android 14+ apps should enforce ACCESSIBILITY_DATA_PRIVATE_YES to prevent credential theft via overlays.
    5. Conduct training on recognizing phishing overlays, fake Chrome updates, and Play Store lookalikes.
    6. Instruct users to be cautious when apps request accessibility permissions unrelated to their functionality.
    7. If infected, the malware blocks standard uninstallation. Use ADB to forcibly remove it.
    8. Block the IOCs at their respective controls https://www.virustotal.com/gui/collection/1c04ebbc88587225873a43ec30a2ba1c1cd1b9ad4b7697fa65bcb93cc83d09cc/iocs

    Source:

    • https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study

    Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

    No related posts found.

    Ampcus Cyber
    Privacy Overview

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.