ToxicPanda¶
ToxicPanda is a banking trojan that emerged in late 2024, representing the geographic expansion of Chinese-speaking threat actors from Southeast Asian targets into European and Latin American financial institutions. Cleafy first identified the family in October 2024, initially associating it with TgToxic before determining it was a distinct, stripped-down variant with its own command set. Despite being in early development, the botnet grew rapidly to over 1,500 infected devices, with Italy accounting for more than half of all infections.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | October 2024 |
| Last Seen | Active (ongoing campaigns) |
| Status | Active, in early development, rapidly expanding |
| Type | Banking trojan |
| Attribution | Chinese-speaking threat actor(s), likely connected to TgToxic operators |
| Aliases | TgToxic variant |
| Predecessor | TgToxic (originally targeting Southeast Asia) |
Vendor Names¶
| Vendor | Name |
|---|---|
| Cleafy | ToxicPanda |
| ThreatFabric | ToxicPanda |
| Trend Micro | TgToxic / AndroidOS_TgToxic |
| Intel 471 | TgToxic |
| ESET | Android/Spy.Banker.TgToxic |
| Kaspersky | HEUR:Trojan-Banker.AndroidOS.TgToxic |
| BitSight | ToxicPanda |
Origin and Lineage¶
ToxicPanda descends from TgToxic, an Android banking trojan that Trend Micro first documented in February 2023. TgToxic originally targeted users in Taiwan, Thailand, and Indonesia, focusing on cryptocurrency wallets and regional banking apps. Its distinguishing characteristic was abuse of the Easyclick legitimate test automation framework to script UI interactions for automated fraud.
Cleafy's analysis determined that ToxicPanda shares 61 commands with TgToxic, confirming the same threat actor or close affiliates are behind both families. ToxicPanda is a stripped-down version of its predecessor: it removes TgToxic's Automatic Transfer System (ATS), Easyclick framework integration, and obfuscation routines, while introducing 33 new commands of its own. This simplification suggests the actors rebuilt the trojan for a new target region, prioritizing manual On-Device Fraud over TgToxic's automation.
Intel 471 later tracked continued evolution of the TgToxic family in parallel, with updates adding domain generation algorithms (DGA) and dead drop resolvers using community forum profiles for C2 resilience.
Distribution¶
ToxicPanda's distribution methods target individual banking customers through standard social engineering.
| Vector | Details |
|---|---|
| Fake app pages | Phishing sites mimicking Google Play or official bank app download pages |
| Sideloading lures | Social engineering to convince victims to install APKs outside official stores |
| Third-party app stores | APKs uploaded to unofficial Android markets |
Cleafy noted that the distribution infrastructure appears less mature than established European MaaS operations, consistent with a threat actor expanding into an unfamiliar geographic region.
Capabilities¶
ToxicPanda focuses on manual On-Device Fraud (ODF) via accessibility, giving operators direct control of the victim device for real-time transaction manipulation.
| Capability | Implementation |
|---|---|
| On-Device Fraud (ODF) | Remote account takeover directly on the infected device via accessibility service |
| OTP interception | Intercepts one-time passwords from SMS and authenticator apps, bypassing 2FA |
| Overlay attacks | Credential phishing via overlay injection over target banking apps |
| Remote control | Manual device interaction through accessibility for navigating banking apps |
| SMS interception | Read and forward SMS messages for OTP capture |
| App listing | Enumerate installed applications to identify targets |
| Device info collection | Exfiltrate device fingerprint, SIM info, installed apps |
| Screenshot capture | Capture device screen state during fraud operations |
Comparison to TgToxic¶
| Feature | TgToxic | ToxicPanda |
|---|---|---|
| ATS (Automated Transfer System) | Present | Removed |
| Easyclick automation | Present | Removed |
| Obfuscation routines | Present | Removed |
| Manual ODF | Limited | Primary fraud method |
| Shared commands | 61 | 61 |
| New commands | N/A | 33 |
| Target region | Southeast Asia | Europe, Latin America |
The removal of ATS and automation in favor of manual ODF indicates the operators are adapting to European banking security controls, which more aggressively detect automated transaction patterns. Manual fraud via remote access is harder for anti-fraud systems to distinguish from legitimate user behavior.
Technical Details¶
Accessibility Abuse¶
ToxicPanda's On-Device Fraud relies entirely on Android's accessibility service:
- Victim grants accessibility permission after social engineering
- Malware auto-grants additional permissions (SMS, phone)
- Operators connect to the device for interactive sessions
- Accessibility actions navigate banking apps, initiate transfers, and approve transactions
- OTP codes intercepted from SMS or captured from notification bar
C2 Communication¶
ToxicPanda uses HTTP-based communication with its C2 infrastructure:
- Bot registers with device fingerprint on infection
- Retrieves target app list and configuration
- Operators issue commands for interactive fraud sessions
- Stolen credentials and OTPs exfiltrated to C2
TgToxic C2 Evolution (Parallel Development)¶
While ToxicPanda uses relatively straightforward C2, the parent TgToxic family has evolved its infrastructure significantly. Intel 471 documented three phases:
| Phase | Technique | Details |
|---|---|---|
| Phase 1 | Hardcoded domains | C2 addresses embedded in malware configuration |
| Phase 2 | Dead drop resolvers | Encrypted C2 addresses hidden in Atlassian community forum user profiles; malware selects a forum URL from configuration, retrieves the profile, and decrypts the C2 address |
| Phase 3 | DGA | Domain generation algorithm creates dynamic C2 domains, discovered in December 2024 samples |
The dead drop resolver technique extends sample lifespan: as long as the forum profile remains active, the C2 can be rotated without updating the malware. The DGA further increases resilience by generating multiple candidate domains that can be registered on demand.
Anti-Analysis¶
| Technique | Method |
|---|---|
| Emulator detection | Enhanced hardware and sensor checks in TgToxic variants |
| Minimal obfuscation | ToxicPanda specifically strips obfuscation, suggesting rapid deployment was prioritized over stealth |
| Dynamic C2 | Parent TgToxic uses DGA and dead drop resolvers for infrastructure resilience |
Target Regions and Financial Institutions¶
ToxicPanda represents a notable geographic pivot, with Chinese-speaking actors targeting European and Latin American banks for the first time.
| Region | Share of Infections | Details |
|---|---|---|
| Italy | 56.8% | Largest concentration of infected devices, multiple Italian banks targeted |
| Portugal | 18.7% | Second-largest infection base |
| Hong Kong | 4.6% | Possible holdover from original TgToxic targeting |
| Spain | 3.9% | Spanish banking institutions |
| Peru | 3.4% | Latin American expansion |
Cleafy identified 16 targeted banking institutions across these regions. BitSight's 2025 follow-up study showed the botnet continuing to grow, with Portugal and Spain becoming primary targets and the total device count more than doubling.
The Chinese-speaking attribution is unusual for banking fraud operations targeting Europe and Latin America, a space traditionally dominated by Russian-speaking and Eastern European actors. This expansion suggests either a deliberate market entry by the TgToxic operators or a sale/sharing of the codebase with actors operating in these regions.
Notable Campaigns¶
July 2022: Trend Micro first documents TgToxic targeting users in Taiwan, Thailand, and Indonesia via fake cryptocurrency and banking apps, using the Easyclick automation framework for credential theft and automated transactions.
October 2024: Cleafy identifies ToxicPanda as an anomalous campaign initially attributed to TgToxic. Analysis reveals significant code differences, and Cleafy begins tracking it as a separate family. Over 1,500 infected devices identified across Italy, Portugal, Spain, Hong Kong, and Peru.
November 2024: ToxicPanda receives broad coverage following Cleafy's publication. Security researchers note the unusual Chinese-speaking attribution for a European-focused banking trojan and the stripped-down nature compared to TgToxic.
December 2024: Intel 471 discovers TgToxic variants incorporating DGA for C2 resilience, representing the third generation of C2 evasion techniques after hardcoded domains and dead drop resolvers.
Early 2025: BitSight TRACE research reports the botnet has more than doubled in size, with Portugal and Spain overtaking Italy as primary infection targets. The geographic distribution continues to shift as the operators expand their European footprint.