Over 1,500 Android devices have been infected by a new strain of Android banking malware called ToxicPanda that allows threat actors to conduct fraudulent banking transactions.
“ToxicPanda’s main goal is to initiate money transfers from compromised devices via account takeover (ATO) using a well-known technique called on-device fraud (ODF),” Cleafy researchers Michele Roviello, Alessandro Strino, and Federico Valentini said in a Monday analysis.
“It aims to bypass bank countermeasures used to enforce users’ identity verification and authentication, combined with behavioral detection techniques applied by banks to identify suspicious money transfers.”
ToxicPanda is believed to be the work of a Chinese-speaking threat actor, with the malware sharing foundational similarities with another Android malware dubbed TgToxic, which can steal credentials and funds from crypto wallets. TgToxic was documented by Trend Micro in early 2023.
A majority of the compromises have been reported in Italy (56.8%), followed by Portugal (18.7%), Hong Kong (4.6%), Spain (3.9%), and Peru (3.4%), marking a rare instance of a Chinese threat actor orchestrating a fraudulent scheme to target retail banking users in Europe and Latin America.
The banking trojan also appears to be in its nascent stages. Analysis shows that it’s a stripped-down version of its ancestor, removing Automatic Transfer System (ATS), Easyclick, and obfuscation routines, while also introducing 33 new commands of its own to harvest a wide range of data.
In addition, as many as 61 commands have been found to be common to both TgToxic and ToxicPanda, indicating that the same threat actor or their close affiliates are behind the new malware family.
“While it shares some bot command similarities with the TgToxic family, the code diverges considerably from its original source,” the researchers said. “Many capabilities characteristic of TgToxic are notably absent, and some commands appear as placeholders without real implementation.”
The malware masquerades as popular apps like Google Chrome, Visa, and 99 Speedmart, and is distributed via counterfeit pages mimicking app store listing pages. It’s currently not known how these links are propagated and if they involve malvertising or smishing techniques.
Once installed via sideloading, ToxicPanda abuses Android’s accessibility services to gain elevated permissions, manipulate user inputs, and capture data from other apps. It can also intercept one-time passwords (OTPs) sent via SMS or generated using authenticator apps, thus enabling the threat actors to bypass two-factor authentication (2FA) protections and complete fraudulent transactions.
The core functionality of the malware, besides its ability to harvest information, is to permit attackers to remotely control the compromised device and perform what’s called ODF, which makes it possible to initiate unauthorized money transfers without the victim’s knowledge.
Cleafy said it was able to gain access to ToxicPanda’s command-and-control (C2) panel, a graphical interface presented in Chinese that allows the operators to view a list of victim devices, including model information, location, and options to remove them from the botnet. Furthermore, the panel serves as a conduit to request real-time remote access to any of the devices for conducting ODF.
“ToxicPanda needs to demonstrate more advanced and unique capabilities that would complicate its analysis,” the researchers said. “However, artifacts such as logging information, dead code, and debugging files suggest that the malware may either be in its early stages of development or undergoing extensive code refactoring—particularly given its similarities with TgToxic.”
The development comes as a group of researchers from the Georgia Institute of Technology, German International University, and Kyung Hee University detailed a backend malware analysis service called DVa – short for Detector of Victim-specific Accessibility – to flag malware exploiting accessibility features on Android devices.
“Using dynamic execution traces, DVa further utilizes an abuse-vector-guided symbolic execution strategy to identify and attribute abuse routines to victims,” they said. “Finally, DVa detects [accessibility]-empowered persistence mechanisms to understand how malware obstructs legal queries or removal attempts.”
The discovery of ToxicPanda also follows a report from Netcraft that detailed another Android banking malware called HookBot (aka Hook) that also exploits Android’s accessibility services to conduct overlay attacks in order to display bogus login pages on top of legitimate banking apps and steal credentials or other personal data.
Some of the popular institutions targeted using the malware include Airbnb, Bank of Queensland, Citibank, Coinbase, PayPal, Tesco, and Transferwise, among others. Besides harvesting sensitive data, a notable feature of the trojan is its ability to spread in a worm-like fashion by sending links to malware-laced apps via WhatsApp messages.
“HookBot can also log keystrokes and capture screenshots to steal sensitive data while the user interacts with their device,” the company said. “It can also intercept SMS messages, including those used for two-factor authentication (2FA), enabling threat actors to gain full access to the victim’s accounts.”
HookBot is offered for sale on Telegram to other criminal actors under a malware-as-a-service (MaaS) model, costing anywhere from $80 for a weekly subscription to $640 for six months. It also comes with a builder that allows the customers to generate new malware samples and build dropper apps.