Emergence of ToxicPanda
A new strain of Android banking malware named ToxicPanda has been identified, compromising over 1,500 devices to enable fraudulent money transfers. According to cybersecurity experts from Cleafy, this malware operates by executing account takeovers (ATO) and employing on-device fraud (ODF) techniques to bypass security measures such as user identity verification and behavior-based detection applied by banks.
Key Characteristics and Origin
ToxicPanda is attributed to a Chinese-speaking threat actor, sharing core characteristics with the previously documented TgToxic malware known for stealing credentials and crypto funds. The malware has predominantly affected users in Italy (56.8%), followed by regions like Portugal, Hong Kong, Spain, and Peru, marking an unusual targeting pattern for Chinese cybercriminals focusing on European and Latin American financial institutions.
Cleafy’s analysis revealed that while ToxicPanda shares 61 bot commands with its ancestor TgToxic, it features distinct new commands and lacks several prior capabilities, such as the Automatic Transfer System (ATS). This indicates ongoing development and potential evolution of the malware to introduce new capabilities.
Malware’s Modus Operandi and Capabilities
Disguised as legitimate apps such as Google Chrome or Visa, ToxicPanda is primarily distributed through fake app store listings. Once sideloaded onto a device, the malware leverages Android’s accessibility services to gain control, monitor user interactions, and collect data from other applications. It is particularly adept at intercepting one-time passwords (OTPs) sent via SMS or generated through authenticator apps, effectively bypassing two-factor authentication (2FA).
In addition to information theft, ToxicPanda allows attackers to remotely control infected devices and conduct ODF, initiating unauthorized money transfers covertly. Cleafy’s investigation included accessing the malware’s command-and-control (C2) panel, which featured a Chinese-language interface that displayed victim device details and facilitated real-time remote access.
Developmental Stage and Security Implications
Experts believe that ToxicPanda may still be in an early stage of development or undergoing significant code changes due to indications such as logging data, dead code, and debug files found during analysis. Despite this, the malware’s functionality poses a substantial risk, demonstrating how attackers continually adapt and refine their tools to challenge banking security measures.
Research into countermeasures, such as DVa (Detector of Victim-specific Accessibility), highlights ongoing efforts to identify malware that abuses accessibility services. This service uses advanced symbolic execution to pinpoint abuse mechanisms and understand how malicious apps persist on infected devices.
Conclusion
The discovery of ToxicPanda underscores the persistent and evolving nature of mobile malware threats. The ability of such malware to bypass security controls and target multiple regions highlights the importance of comprehensive defense strategies, including user education on safe app installation practices and the enhancement of banking app security protocols.