More than 1,500 Android devices have been infected with a new strain of Android banking malware called ToxicPanda, which allows threat actors to conduct fraudulent banking transactions.
“ToxicPanda’s main goal is to initiate money transfers from compromised devices via account takeover (ATO) using a well-known technique called device fraud (ODF),” Cleafy researchers Michele Raviello, Alessandro Strina and Federico Valentini said in Monday’s analysis.
“It aims to bypass banking countermeasures used to enforce identity verification and user authentication, combined with behavioral detection techniques used by banks to detect suspicious money transfers.”
ToxicPanda is believed to be the work of a Chinese-language threat actor, with the malware having fundamental similarities to another Android malware called TgTaxicwhich can steal credentials and funds from crypto wallets. TgToxic was documented by Trend Micro in early 2023.
Most compromises were recorded in Italy (56.8%), followed by Portugal (18.7%), Hong Kong (4.6%), Spain (3.9%) and Peru (3.4%), noting rare case of a Chinese threat actor orchestrating a fraudulent scheme targeting retail banking users in Europe and Latin America.
A banking Trojan also appears to be in its infancy. Analysis shows that it is a shortened version of its ancestor, the deleted automatic transmission system (PBX), Easyclick and obfuscation routines, as well as introducing 33 new custom commands to collect a wide range of data.
In addition, 61 commands were found to be common to TgToxic and ToxicPanda, indicating that the same threat actor or its close affiliates are behind the new malware family.
“Although it shares some similarities between the bot commands and the TgToxic family, the code is significantly different from the original source,” the researchers said. “Many features specific to TgToxic are noticeably absent, and some commands appear as placeholders with no real implementation.”
The malware disguises itself as popular apps like Google Chrome, Visa, and 99 Speedmart and spreads via fake pages that mimic store listing pages. At this time, it is not known how these links are distributed or whether they contain malicious advertising or bullying.
Once installed via sideloading, ToxicPanda abuses Android accessibility services to gain elevated permissions, manipulate user input, and grab data from other apps. It can also intercept one-time passwords (OTPs) sent via SMS or generated by authentication programs, allowing threat actors to bypass two-factor authentication (2FA) protections and perform fraudulent transactions.
The main function of the malware, apart from its ability to collect information, is to allow attackers to remotely control a compromised device and perform so-called ODFwhich allows unauthorized money transfers to be initiated without the victim’s knowledge.
Cleafy said it was able to access ToxicPanda’s Command and Control Panel (C2), a Chinese-language GUI that allows operators to view a list of victim devices, including model information and location, and remove them from the hood. In addition, the panel serves as a channel to request real-time remote access to any of the devices for conducting ODF.
“ToxicPanda must demonstrate more advanced and unique capabilities that would complicate its analysis,” the researchers said. “However, artifacts such as log information, dead code, and debug files suggest that the malware may be in the early stages of development or undergoing heavy code refactoring — especially given its similarities to TGToxic.”
The development was made by a team of researchers from the Georgia Institute of Technology, the German International University and Kyung Hee University in detail a server-side malware analysis service called Two – short for Detector of Victim-specific Accessibility – to flag malware that uses accessibility features on Android devices.
“Using dynamic execution traces, DVa additionally uses a symbolic execution strategy driven by an abuse vector to identify and attribute abusive procedures to victims,” they said. “Finally, DVa discovers persistence (availability) mechanisms to understand how malware thwarts legal requests or removal attempts.”
