ToxicPanda Android Banking Malware Compromises Over 4,500 Devices to Harvest Banking Credentials

ToxicPanda Android Banking Malware Compromises Over 4,500 Devices to Harvest Banking Credentials

The ToxicPanda Android banking trojan has emerged as a significant threat, compromising over 4,500 devices primarily in Portugal and Spain as of early 2025, with a focus on stealing banking credentials, overlaying PIN and pattern codes, and enabling unauthorized transactions.

Initially identified by Trend Micro in 2022 targeting Southeast Asia, the malware shifted to Europe in 2024, infecting around 1,500 devices mainly in Italy, Portugal, Hong Kong, Spain, and Peru, as reported by Cleafy researchers.

Geographic Expansion and Infection Surge in Europe

By 2025, TRACE observations indicate a deliberate pivot to the Iberian Peninsula, where Portugal accounts for approximately 3,000 infections and Spain for 1,000, representing over 85% of global cases. Lesser impacts are seen in Greece, Morocco, and Peru.

Predominantly affecting budget-friendly models from Samsung (A and S series, including older S8-S9 and newer S23), Xiaomi (Redmi), and Oppo (A series), the malware demonstrates broad compatibility across device tiers.

According to the report, this surge aligns with a broader 196% increase in Android banking trojan attacks in 2024, totaling over 1.24 million incidents as per Kaspersky, underscoring the escalating sophistication of mobile financial threats that prioritize targeted, high-impact infections over mass-scale botnets like proxies or DDoS networks.

Technical Enhancements

ToxicPanda leverages advanced delivery via the TAG-124 multi-layered Traffic Distribution System (TDS), hosting malicious APKs such as “dropper.apk” and “no_dropper.apk” on compromised domains and open directories, including those mimicking Google Chrome updates or employing ReCaptcha tricks.

malicious files

The malware requests 58 permissions in its AndroidManifest.xml, including suspicious ones like READ_SMS, RECEIVE_SMS, BIND_NOTIFICATION_LISTENER_SERVICE for intercepting OTPs, SYSTEM_ALERT_WINDOW for phishing overlays, and BIND_ACCESSIBILITY_SERVICE for full device control, enabling keylogging, automated navigation, and UI hijacking.

Upon installation, it masquerades as a fake Google Chrome app, baiting users to enable accessibility services, which it abuses to overlay fake login screens on 39 banking apps via JSON payloads from the C2 server, capturing credentials through WebView modifications and TYPE_ACCESSIBILITY_OVERLAY exploits.

Anti-emulation features, including checks for CPU info, emulator paths, Bluetooth, ambient light sensors, and telephony dials, prevent detonation in sandboxes like Joe, VirusTotal, and Triage.

The malware employs a Domain Generation Algorithm (DGA) generating monthly second-level domains appended with TLDs (e.g., .com, .net) for resilient C2 communication, falling back to encrypted “dom.txt” files using DES/CBC/PKCS5Padding with key “jp202411” and IV “jp202411”.

Android Banking Malware
some domains are even indexed in google

AES/ECB/PKCS5Padding encryption with hardcoded key “0623U25KTT3YO8P9” secures payloads, while new commands like setDomain, openLayer, and updatePageRule enhance overlay deployment and persistence.

Persistence mechanisms include broadcast receivers for intents like PACKAGE_REMOVED, ensuring reactivation via “RestartSensor” broadcasts, and resistance to uninstallation through accessibility-based window closures.

Network infrastructure ties to Cloudflare IPs and non-DGA domains like ksicngtw[.]org, with remnants of Mandarin code hinting at Chinese origins.

Removal requires ADB commands to force-stop and uninstall the package com.example.mysoul.

Ongoing developments, such as expanded command sets and TDS integration, signal active evolution, urging users to source apps from official stores, scrutinize permissions, and monitor accessibility grants to mitigate risks.

Indicators of Compromise (IOCs)

Category Indicators
Malicious Package com.example.mysoul
C2 Servers 38.54.119.95; busketmonmaster; d7472ad157[.]lol; ksicngtw[.]org
Cloudflare Infrastructure 104.21.52.214; 172.67.204.27
Hosting Domains (TAG-124 Linked) check-googlle[.]com; update-chronne[.]com; mktgads[.]com; aerodromeabase[.]com; extensionphantomisyour[.]com; phaimtom[.]com; plesk[.]page; symbieitc[.]com; bentonwhite[.]com; frezorapp[.]io; phanetom[.]com; portalonline-simplespgme[.]online; symbietic[.]com; bplnetempresas[.]com; haleetemug[.]com; phantomisyourextension[.]com; portalreceitafazenda[.]com; symblatic[.]com; chalnlizt[.]org; infos-lieferung[.]com; phanutom[.]com; private-lieferung[.]de; symdlotic[.]com; cihainlst[.]org; infos-versand[.]de; phaqwentom[.]com; roninachain[.]com; synbioltic[.]com; com-animus[.]app; io-suite-web[.]com; phatom-wa[.]com; ronnin-v2[.]com; tradr0ger[.]cloud; comteste[.]com; manflle[.]com; phatom-we[.]com; ronnin-v3[.]com; trust-walles[.]com; cuenta-ntflx[.]com; miner-tolken[.]com; phavtom-v1[.]com; ronnnn[.]com; v2-rubby[.]com; dogs-airdp[.]com; mondiale-relaissupport[.]com; phavtom-v2[.]com; symbiatec-fi[.]com; v3-rabby[.]com; euro-mago[.]com; onsuitex[.]com; phavtom-v3[.]com; symbiatic-fi[.]com

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!


Source link