New Android banking malware “ToxicPanda” targets users with fraudulent money transfers

Over 1,500 Android devices have been infected with a new type of Android banking malware called ToxicPanda, which allows threat actors to conduct fraudulent banking transactions.

“The main goal of ToxicPanda is to initiate fund transfers from compromised devices via Account Takeover (ATO) using a well-known technique called On-Device Fraud (ODF),” said Cleafy researchers Michele Roviello, Alessandro Strino and Federico Valentini in an analysis on Monday.

“The aim is to circumvent the countermeasures banks use to enforce user identity verification and authentication, as well as behavioral detection techniques used by banks to identify suspicious money transfers.”

ToxicPanda is believed to be the work of a Chinese-speaking threat actor, with the malware sharing key similarities to another Android malware called TgToxic, which can steal credentials and funds from crypto wallets. TgToxic was documented by Trend Micro in early 2023.

A majority of compromises were reported in Italy (56.8%), followed by Portugal (18.7%), Hong Kong (4.6%), Spain (3.9%) and Peru (3.4%), which represents a rare case of a Chinese threat actor orchestrating a fraudulent scheme to target retail customers in Europe and Latin America.

The banking Trojan also appears to be in its early stages. Analysis shows that it is a stripped-down version of its predecessor, removing the Automatic Transfer System (ATS), Easyclick and obfuscation routines while introducing 33 new commands of its own to collect a wide range of data.

Additionally, TgToxic and ToxicPanda were found to share up to 61 commands, suggesting that the same threat actor or its close associates are behind the new malware family.

“Although it shares some similarities with the TgToxic family of bot commands, the code deviates significantly from its original source,” the researchers said. “Many of TgToxic's signature capabilities are noticeably missing, and some commands appear as placeholders with no real implementation.”

The malware disguises itself as popular apps such as Google Chrome, Visa and 99 Speedmart and is distributed via fake sites that mimic app store listing pages. It is currently unknown how these links are distributed and whether they involve malvertising or smishing techniques.

Once sideloaded, ToxicPanda abuses Android's accessibility services to gain elevated privileges, manipulate user input, and collect data from other apps. It can also intercept one-time passwords (OTPs) sent via SMS or generated using authentication apps, allowing threat actors to bypass two-factor authentication (2FA) protections and conduct fraudulent transactions.

The main function of the malware, in addition to its ability to collect information, is to allow attackers to remotely control the compromised device and perform a so-called ODF, which allows unauthorized fund transfers to be initiated without the victim's knowledge.

Cleafy said it was able to access ToxicPanda's command-and-control panel (C2), a graphical interface in Chinese that allows operators to view a list of victim devices, including model information, location and options to remove the botnet. In addition, the panel serves as a channel to request real-time remote access to each of the devices to perform ODF.

“ToxicPanda needs to demonstrate more advanced and unique capabilities that would complicate its analysis,” the researchers said. “However, artifacts such as log information, dead code and debugging files suggest that the malware is either in early stages of development or undergoing extensive code refactoring – particularly given its similarities to TgToxic.”

The development comes as a group of researchers from the Georgia Institute of Technology, German International University and Kyung Hee University detailed a backend malware analysis service called DVa – short for Detector of Victim-Specific Accessibility – to detect malware to detect exploiting accessibility features on Android devices.

“Using dynamic execution traces, DVa also leverages a symbolic execution strategy driven by abuse vectors to identify and attribute abuse routines to victims,” they said. “Finally DVa recognizes [accessibility]-Enhanced persistence mechanisms to understand how malware impedes legal queries or removal attempts.”

The discovery of ToxicPanda also follows a report from Netcraft describing another Android banking malware called HookBot (also known as Hook), which also exploits Android's accessibility services to conduct overlay attacks to create fake login pages over legitimate ones View banking apps and steal login credentials or other personal information.

Some of the popular institutions targeted by the malware include Airbnb, Bank of Queensland, Citibank, Coinbase, PayPal, Tesco and Transferwise. In addition to collecting sensitive data, a notable feature of the Trojan is its ability to spread like a worm by sending links to malware-infected apps via WhatsApp messages.

“HookBot can also log keystrokes and capture screenshots to steal sensitive data as the user interacts with their device,” the company said. “It can also intercept SMS messages, including those used for two-factor authentication (2FA), giving threat actors full access to the victim’s accounts.”

HookBot is offered for sale on Telegram to other criminal actors under a malware-as-a-service (MaaS) model and costs between $80 for a weekly subscription to $640 for six months. It also comes with a builder that allows customers to generate new malware samples and create dropper apps.

Update

After publishing the story, Google shared the following statement with The Hacker News:

Based on our current detection, no apps containing this malware were found on Google Play. Android users are automatically protected from known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps that are known to engage in malicious behavior, even if those apps come from sources outside of Play.