ToxicPanda Mobile Malware

A new strain of the Android banking malware, dubbed ToxicPanda, has infected over 1,500 Android devices, enabling cybercriminals to carry out fraudulent banking transactions. ToxicPanda's primary objective is to initiate unauthorized money transfers from compromised devices through account takeover (ATO) using a technique known as on-device fraud (ODF). This method seeks to evade bank security measures designed to verify users' identities and detect unusual transaction patterns through behavioral analysis.

Researchers believe that ToxicPanda originates from a Chinese-speaking threat actor. The malware has notable similarities to TgToxic, another Android malware identified in early 2023. TgToxic is capable of stealing credentials and funds from cryptocurrency wallets.

ToxicPanda Targets a Diverse Set of Countries

The majority of infections have been observed in Italy (56.8%), followed by Portugal (18.7%), Hong Kong (4.6%), Spain (3.9%), and Peru (3.4%). This is an unusual case where a Chinese threat actor has targeted retail banking users in both Europe and Latin America.

This banking Trojan appears to be in its early stages, with analysis revealing it as a pared-down version of its predecessor. Key features like the Automatic Transfer System (ATS), Easyclick, and obfuscation routines have been removed, while 33 new commands have been added to extract a broader range of data.

Furthermore, 61 commands are shared between TgToxic and ToxicPanda, suggesting that the same threat actor or close associates are likely behind this malware family. Although ToxicPanda retains some bot command similarities with the TgToxic family, its code diverges significantly. Several functions typical of TgToxic are missing, and some commands seem to be placeholders with no actual functionality.

How Does the ToxicPanda Banking Trojan Operate?

The malware disguises itself as well-known applications like Google Chrome, Visa, and 99 Speedmart, distributed through fake websites that imitate legitimate app store listings. It remains unclear how these links are being shared or if techniques such as malvertising or smishing are involved.

Once installed via sideloading, ToxicPanda exploits Android's accessibility services to gain elevated permissions, automate user inputs, and capture data from other applications. It can intercept one-time passwords (OTPs) sent via SMS or authenticator apps, allowing attackers to bypass two-factor authentication (2FA) and complete unauthorized transactions.

Beyond data collection, the malware's primary function enables attackers to control the compromised device remotely and execute on-device fraud (ODF), facilitating unauthorized money transfers without the victim's awareness.

Researchers report that they accessed ToxicPanda's Command-and-Control (C2) panel. In this Chinese-language interface, operators can view a list of infected devices, including model and location details, and even remove them from the botnet. The panel also enables operators to request real-time remote access to devices to execute ODF activities.

ToxicPanda may be in Early Development by Cybercriminals

ToxicPanda has yet to display more sophisticated or distinctive capabilities that would make its analysis more challenging. However, elements like logging data, unused code, and debugging files indicate that the malware could either be in the early stages of development or undergoing significant code refactoring, especially considering its similarities to TGToxic.