A newly discovered Android banking malware, dubbed ToxicPanda, has infected over 1,500 devices, enabling attackers to conduct unauthorized money transfers.
This malware employs account takeover (ATO) tactics and on-device fraud (ODF) techniques to bypass bank verification measures and behavioral detection systems.
Reports suggest that ToxicPanda originates from a Chinese-speaking threat actor, sharing foundational code with a similar malware called TgToxic. Unlike its predecessor, ToxicPanda has streamlined its operations, removing certain obfuscation routines while introducing new capabilities to harvest data and enable remote control of compromised devices.
The malware primarily targets users in Italy, Portugal, Hong Kong, Spain, and Peru, marking a rare instance of a Chinese-based actor targeting retail banking customers in Europe and Latin America.
It masquerades as well-known apps such as Google Chrome or Visa and is distributed through counterfeit app store pages. While the exact delivery methods are unclear, malvertising and phishing are suspected.
Once installed through sideloading, ToxicPanda abuses Android’s accessibility services to gain elevated permissions, manipulate user interactions, and intercept sensitive data like one-time passwords (OTPs).
This allows it to bypass two-factor authentication (2FA) and execute unauthorized banking transactions. The malware also provides attackers with real-time remote access to devices, enabling seamless ODF operations.
Analysis of ToxicPanda’s command-and-control (C2) panel reveals a Chinese-language interface that allows attackers to monitor infected devices, request real-time access, and manage botnet operations.
While the malware demonstrates significant potential, researchers suggest it may still be in its developmental stages due to the presence of debugging files and unimplemented commands.
In addition to ToxicPanda, reports highlight the growing trend of malware exploiting Android’s accessibility features. Recent examples include HookBot, another banking trojan capable of overlay attacks, credential theft, and worm-like propagation through WhatsApp messages. Such malware is often sold under a Malware-as-a-Service (MaaS) model, making it accessible to various cybercriminals.
To safeguard against malware like ToxicPanda, Android users should avoid sideloading apps from unverified sources and only download applications from trusted platforms like Google Play. Regular updates to device security settings and Android versions are crucial, as they often include patches for newly discovered vulnerabilities.