ToxicPanda Android Banking Trojan

[Man]

More than 1500 Android mobile devices were attacked by the operators of the ToxicPanda malware. Once established on the system, this Trojan can make unauthorized bank transfers.

ToxicPanda is detailed in a new report from Cleafy. In particular, experts note the following functionality of the malware:

"The main task of ToxicPanda is to organize the withdrawal of money using well-known methods such as account control interception (ATO) or on-device fraud (ODF)".

"To do this, the Trojan needs to bypass the bank's protective measures, which include identity verification and customer authentication, as well as detecting atypical behavior and identifying suspicious money transfers."

Researchers believe that Chinese-speaking cybercriminals are behind ToxicPanda. The functionality of the malware is similar to another Android Trojan — TgToxic, which is capable of intercepting credentials and funds from crypto wallets.

In addition, everything points to a raw version of ToxicPanda, which is likely to be finalized in the future. For example, the authors have not yet implemented obfuscation and have abandoned the use of the Automatic Transfer System (ATS).

ToxicPanda infiltrates devices using third-party downloads, and then uses Android's accessibility services to gain access to user input and data from other apps.

The largest number of infected devices was found in Italy (56.8%), followed by Portugal (18.7%), Hong Kong (4.6%), Spain (3.9%) and Peru (3.4%).

Source

 

[Man]

ToxicPanda: 16 Banks Held Hostage by Chinese Trojan.

A powerful new weapon in the arsenal of hackers attacking Android.

In October 2024, the Cleafy team discovered a new Android malware campaign related to the ToxicPanda banking Trojan, which differs from other malware in the way it works.

Researchers first linked the malware to TgToxic, which was spreading in Southeast Asia, but it turned out that ToxicPanda had different code and new functions, so it was singled out as a separate virus. ToxicPanda's main task is to seize control of the device in order to execute bank transfers using the On-Device Fraud (ODF) technique. This allows the Trojan to bypass banking security systems designed to verify the customer's identity.

Experts have found that the ToxicPanda botnet has already infected more than 1,500 devices in countries such as Italy, Portugal, Spain, and Peru. Moreover, Italy is the main attack region, where about 57% of all devices are infected. The attacks target 16 banks. The creators of the virus are believed to speak Chinese, which is rare for attacks aimed at Europe and Latin America.

The virus spreads through malicious applications that disguise themselves as well-known programs, such as Google Chrome and Visa, or dating apps. In this way, the attackers trick people into installing a Trojan. Judging by the source code, the development is at an early stage, with some commands in the code only labeled as "empty", with no actual implementation.

On the technical side, ToxicPanda has a number of cyberattack capabilities. The malware can control the device remotely, gain access to one-time passwords to bypass two-factor authentication, and hide its presence using sophisticated masking methods. At the same time, unlike the old versions of TgToxic, ToxicPanda removed the automatic translation system, which simplified the structure of the virus.

Other features of ToxicPanda include the ability to hide and block access to system settings, security tools, and permission management. Such features help hide the Trojan on the device and make it difficult to remove.

The technical aspects of the campaign confirm that the malware is focused on direct interaction with infected devices, giving operators the ability to manually control and bypass banking protection. Moreover, the Trojan records and transmits screenshots of the user to the C2 server, which allows you to collect screenshots of login credentials to the bank's application.

The infrastructure of the virus is configured in such a way that it uses hard-coded domains to communicate with the C2 server. This mechanism makes it easier to manage the botnet, but reduces flexibility in case domains are blocked. ToxicPanda also uses encryption to protect the data in transit.

Access to the botnet's control panel allowed the Cleafy team to understand how hackers control infected devices and conduct fraudulent operations. Such information helps analysts develop countermeasures and prevent the further spread of the virus. ToxicPanda shows that threats to banking apps in Europe and Latin America are growing, and requires companies to strengthen the protection of mobile devices.