A new strain of Android banking malware, known as ToxicPanda, has infected over 1,500 devices, allowing threat actors to conduct fraudulent banking transactions. The malware, which is believed to be the work of a Chinese-speaking threat actor, uses a technique called on-device fraud (ODF) to bypass bank countermeasures and initiate money transfers without user knowledge.
ToxicPanda masquerades as popular apps like Google Chrome, Visa, and 99 Speedmart, and is distributed via counterfeit pages mimicking app store listing pages. Once installed via sideloading, the malware abuses Android’s accessibility services to gain elevated permissions, manipulate user inputs, and capture data from other apps.
The malware can also intercept one-time passwords (OTPs) sent via SMS or generated using authenticator apps, enabling threat actors to bypass two-factor authentication (2FA) protections. It can remotely control compromised devices and initiate unauthorized money transfers without the victim’s knowledge.
Researchers discovered that ToxicPanda shares similarities with another Android malware called TgToxic, which was documented in early 2023. The same threat actor or their affiliates are believed to be behind both malwares.
The banking trojan appears to be in its nascent stages, with a stripped-down version that removes certain features and introduces new commands to harvest data. However, it still poses a significant threat to retail banking users in Europe and Latin America.
A group of researchers has developed a backend malware analysis service called DVa to flag malware exploiting accessibility features on Android devices. The service uses dynamic execution traces and abuse-vector-guided symbolic execution strategy to identify and attribute abuse routines to victims.
The detection of ToxicPanda highlights the need for increased awareness and vigilance among users, particularly in Europe and Latin America. It also underscores the importance of regular software updates and the use of security measures such as antivirus software and firewall protection.
Source: https://thehackernews.com/2024/11/new-android-banking-malware-toxicpanda.html