A new malware strain, dubbed “ToxicPanda,” is targeting Android users, allowing hackers to initiate fraudulent bank transfers from infected devices. The malware, identified by cybersecurity firm Cleafy, has already compromised over 1,500 devices, mainly in Europe and Latin America. This dangerous attack highlights growing security vulnerabilities for Android users.
ToxicPanda: A New Threat to Android Banking Security
ToxicPanda is a sophisticated banking trojan that uses a technique called On-Device Fraud (ODF) to bypass bank security measures and initiate unauthorized money transfers. The malware works by gaining control of infected devices, sidestepping two-factor authentication (2FA) systems, and ultimately enabling fraud without users noticing. Cleafy’s researchers report that ToxicPanda is aimed at taking over users’ bank accounts through on-device manipulation.
The malware appears to be in its initial stages but has already impacted numerous users in Italy (56.8%), Portugal (18.7%), Hong Kong (4.6%), Spain (3.9%), and Peru (3.4%).
A Malicious Evolution: Links to TgToxic
ToxicPanda has several similarities to another malware, TgToxic, identified earlier this year by Trend Micro. Both malware families share over 60 bot commands, allowing hackers to perform data collection and unauthorized transfers. However, Cleafy’s team noted that while ToxicPanda and TgToxic share some code, ToxicPanda includes 33 unique commands to harvest user data, indicating that it’s designed with a slightly different functionality.
“The code diverges considerably from TgToxic,” Cleafy researchers said, highlighting that ToxicPanda’s capabilities could evolve further, making detection and prevention challenging.
How ToxicPanda Infects Devices
ToxicPanda disguises itself as popular apps, including Google Chrome, Visa, and 99 Speedmart, tricking users into downloading it from fake app store pages. Once installed, the malware abuses Android’s accessibility services, allowing it to intercept messages, manipulate device input, and collect data from other applications.
One of the most concerning abilities of ToxicPanda is its interception of SMS messages and one-time passwords (OTPs) generated by authentication apps, allowing hackers to bypass 2FA protections. This capability allows attackers to access users’ bank accounts and perform transactions unnoticed.
Command and Control: Hackers’ Direct Control Panel
Cleafy’s team gained access to ToxicPanda’s command-and-control (C2) panel, which allows hackers to view device details, including model, location, and connection status. The C2 panel, presented in Chinese, allows threat actors to remotely access infected devices in real-time, enhancing their ability to manipulate users’ bank accounts.
“ToxicPanda appears to be in an experimental phase,” researchers explained. The presence of debugging files and placeholders within the code suggests it could be in development or undergoing updates to enhance its malicious abilities.
ToxicPanda and the Growing Threat of Android Malware
ToxicPanda’s discovery aligns with a recent report on another Android malware strain, HookBot, which similarly exploits Android’s accessibility services to perform overlay attacks and steal login credentials. HookBot, known to target popular financial institutions like PayPal, Citibank, and Coinbase, has been sold on Telegram as malware-as-a-service, allowing criminal actors to deploy it widely.
Both HookBot and ToxicPanda indicate a worrying trend of sophisticated Android malware targeting financial accounts. HookBot can log keystrokes, intercept 2FA messages, and spread itself through WhatsApp messages, posing additional challenges for users.
Conclusion: A Call for Greater Security Measures
The rise of malware strains like ToxicPanda highlights the need for Android users to exercise caution. As banking trojans become increasingly advanced, cybersecurity firms and users must stay alert to these threats. ToxicPanda’s capabilities for account takeovers and fraudulent transfers underscore the growing sophistication of malware targeting financial information.
For users, downloading apps from trusted sources and regularly updating device software is crucial. As the landscape of Android threats expands, both developers and users must take steps to counter the dangers of malware like ToxicPanda.
