• Posted by: Michael Johnson
• November 06, 2024

ToxicPanda: New Android Malware Targets Global Banking Users

Researchers have identified a new strain of Android malware, ToxicPanda, that has infected over 1,500 devices worldwide, predominantly targeting banking users in Italy, Portugal, Hong Kong, Spain, and Peru. Created by a suspected Chinese-speaking threat actor, ToxicPanda specializes in account takeover (ATO) through on-device fraud (ODF), allowing attackers to make unauthorized transfers from victims' accounts.

ToxicPanda’s Functionality and Distribution

Disguised as popular apps like Google Chrome, Visa, and 99 Speedmart, ToxicPanda spreads through fake app store pages. Users unknowingly install it by sideloading, which grants the malware permissions via Android’s accessibility services. This allows it to capture data from other apps, intercept one-time passwords (OTPs), and even bypass two-factor authentication (2FA).

ToxicPanda also leverages a command-and-control (C2) panel in Chinese, providing operators with the ability to monitor and remotely control compromised devices. This interface can view detailed device information, such as model and location, and initiate real-time remote access for unauthorized banking transactions.

Technical Aspects and Evolution

While ToxicPanda shares 61 bot commands with its predecessor, TgToxic, its code has diverged significantly, marking it as a unique threat. ToxicPanda lacks features like the Automatic Transfer System (ATS) and has introduced 33 new commands. Artifacts, including logging information and unused code, suggest that ToxicPanda may still be under development or is a work-in-progress variant of TgToxic.

Research Response and Security Recommendations

A recent study from researchers at Georgia Institute of Technology, German International University, and Kyung Hee University introduced DVa (Detector of Victim-specific Accessibility), a tool for identifying malware that exploits Android's accessibility services. DVa detects malware persistence mechanisms, which help maintain unauthorized access on compromised devices.

Security Tips:

1. Only download apps from official sources, avoiding sideloading whenever possible.
2. Review app permissions carefully; be wary if an app requests accessibility permissions without a clear purpose.
3. Enable multi-factor authentication using hardware tokens or app-based 2FA that isn’t SMS-dependent.

The emergence of ToxicPanda highlights the risks of sophisticated banking malware and its impact on Android users globally. The malware’s ability to bypass banking security measures shows the importance of rigorous Android security practices for users and financial institutions alike.