‘ToxicPanda’, A Fresh Android Malware for Banking, Targets Users with Deceptive Money Transfers

It’s suspected that ToxicPanda originates from a Chinese-speaking threat actor and shares core resemblances with another Android malware named TgToxic, which is capable of extracting credentials and funds from cryptocurrency wallets. Trend Micro first documented TgToxic in early 2023.

The majority of the infections have been documented in Italy (56.8%), followed by Portugal (18.7%), Hong Kong (4.6%), Spain (3.9%), and Peru (3.4%), signifying an unusual occurrence of a Chinese malicious actor orchestrating a fraudulent enterprise with the aim of attracting retail banking clients in Europe and Latin America.

Presently, the banking trojan seems to be in its early phases. Analysis reveals that it is a refined version of its predecessor, removing features such as Automatic Transfer System (ATS), Easyclick, and encryption methods. Instead, it introduces 33 new instructions to accumulate a vast array of information.

Furthermore, approximately 61 instructions are shared between TgToxic and ToxicPanda, suggesting that the same cyber threat actor or closely associated groups are behind the emerging malware strain.

“While the ToxicPanda family shares some similarities with the TgToxic bot commands, its code significantly diverges from the original. Several distinctive functions of TgToxic are conspicuously absent, and certain instructions remain as placeholders without actual implementation,” the researchers commented.

The malware adopts the guises of popular applications like Google Chrome, Visa, and 99 Speedmart, being distributed through fake pages resembling official app store listings. The means by which these links are disseminated and whether they involve malvertising or smishing strategies remain unknown at this moment.

Upon installation through sideloading, ToxicPanda exploits Android’s accessibility services to gain escalated privileges, manipulate user inputs, and siphon data from other applications. It can also intercept one-time passwords (OTPs) sent via SMS or generated by authenticator apps, thereby allowing malicious actors to circumvent two-factor authentication (2FA) security protocols and perform unauthorized transactions.

Aside from its data harvesting capabilities, the malware’s central function is to empower attackers to remotely control compromised devices, thereby executing what is known as on-device fraud (ODF), which authorizes the initiation of illicit money transfers without the victim’s awareness.

Cleafy reported that they have accessed ToxicPanda’s command-and-control (C2) dashboard, denoted by a Chinese graphical user interface that enables operators to monitor victim devices, including their model details and location, and eliminate them from the network. Moreover, the dashboard serves as an avenue to request real-time remote access to any of the devices to carry out on-device fraud.

“ToxicPanda needs to showcase more sophisticated and distinctive features that would add complexity to its analysis,” the researchers highlighted. “Nonetheless, remnants such as logging data, inactive code, and debugging files suggest that the malware may either be at an early stage of development or undergoing significant code restructuring, particularly in light of its parallels with TgToxic.”

These revelations come as a consortium of researchers from the Georgia Institute of Technology, German International University, and Kyung Hee University elucidated a novel backend malware examination tool dubbed DVa – an abbreviation for Detector of Victim-specific Accessibility – designed to flag malware exploiting accessibility functionalities on Android devices.

“By leveraging dynamic execution traces, DVa employs an abuse-vector-guided symbolic execution approach to uncover and attribute abuse routines to victims,” they elaborated. “Ultimately, DVa identifies accessibility-powered persistence mechanisms to ascertain how malware impedes legitimate queries or removal attempts.