Cyber security news for all

More

    Emerging Android Banking Threat: ‘ToxicPanda’ Facilitates Stealthy Financial Theft through Fraudulent Transfers

    Over 1,500 Android devices have recently succumbed to an insidious new malware strain known as “ToxicPanda.” This sophisticated banking trojan enables cybercriminals to initiate unauthorized financial transfers directly from compromised devices, effectively bypassing typical security measures.

    ToxicPanda’s primary objective is to commandeer users’ banking sessions through account takeovers (ATO) using a technique dubbed on-device fraud (ODF), as detailed by Cleafy researchers Michele Roviello, Alessandro Strino, and Federico Valentini in a recent assessment. “The malware is designed to circumvent identity verification and behavioral detection protocols banks employ to flag suspicious transactions,” they noted.

    Evidence suggests that ToxicPanda originated from a Chinese-speaking threat group, and it bears a striking resemblance to a similar malware called TgToxic, identified by Trend Micro in early 2023. TgToxic is known for extracting both login credentials and cryptocurrency funds. However, ToxicPanda takes this threat further, targeting conventional bank accounts.

    This malware has made a notable impact, particularly in Italy, which accounts for 56.8% of detected cases, followed by Portugal (18.7%), Hong Kong (4.6%), Spain (3.9%), and Peru (3.4%). This geographical spread reflects a rare move by a Chinese threat actor to infiltrate European and Latin American banking networks.

    Analysis reveals that ToxicPanda remains in its developmental phase. This variant is a streamlined iteration of earlier banking trojans, lacking components like the Automatic Transfer System (ATS), Easyclick, and obfuscation layers but adding 33 fresh commands aimed at extracting a diverse array of data.

    Notably, 61 commands are consistent between ToxicPanda and TgToxic, hinting at either a shared creator or close collaboration among malicious actors. “Although the malware mirrors some bot command sequences with the TgToxic family, its codebase exhibits considerable deviations,” the researchers stated. Some functionalities from TgToxic are conspicuously missing, with certain commands seemingly acting as placeholders.

    To disguise itself, the malware presents as well-known applications, including Google Chrome, Visa, and 99 Speedmart, and is disseminated through fake app store-like pages. The distribution strategy remains uncertain, with possibilities including malvertising and smishing campaigns.

    After installation via sideloading, ToxicPanda exploits Android’s accessibility services, granting it elevated privileges to manipulate inputs, harvest data from other apps, and capture one-time passwords (OTPs) from SMS or authenticator apps. This permits the malware to bypass two-factor authentication (2FA), facilitating stealthy financial transactions.

    Beyond its data-harvesting capabilities, ToxicPanda enables attackers to remotely control infected devices, executing ODF and initiating unauthorized transfers without the victim’s awareness.

    Cleafy researchers gained access to the malware’s command-and-control (C2) panel—a Chinese-language graphical interface displaying infected devices along with model details and locations. This C2 panel allows operators to remotely monitor and, if needed, disconnect specific devices from the botnet, providing a direct avenue to execute real-time ODF transactions.

    “To advance its reach, ToxicPanda must demonstrate enhanced sophistication, complicating any analysis attempts,” Cleafy noted. Early indications, such as debugging traces, inactive code segments, and extensive logging, suggest the malware may either be in the early phases of development or undergoing substantial reengineering, particularly given its resemblance to TgToxic.

    This development coincides with recent findings from researchers at the Georgia Institute of Technology, German International University, and Kyung Hee University, who unveiled DVa—a backend analysis tool focused on identifying malware that exploits accessibility functions on Android devices.

    Using dynamic execution traces, DVa employs an abuse-vector-driven symbolic execution strategy to detect and link abusive routines to specific victims. Additionally, DVa identifies accessibility-based persistence tactics, offering insights into how malware can circumvent legal removal attempts and obstruct system queries.

    Recent Articles

    Related Stories