New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers
Summary:
Cleafy’s Threat Intelligence team witnessed a significant spike in malicious activity utilizing a new Android malware sample in late October 2024. Initially classified as TgToxic malware, this malware sample was further analyzed and although it has similar bot commands with TgToxic, the code differs greatly in that many TgToxic capabilities are absent and some commands act as placeholders for unimplemented modules, leading Cleafy to classify this malware as a new family called ToxicPanda. ToxicPanda’s remote access capabilities allow the adversary to perform account takeover from the infected device, thus exploiting the On Device Fraud technique commonplace in the modern generation of mobile malware. Adopting a manual approach to performing attacks has several advantages like it requires less skilled developers, TAs can distribute the malware's target base to any banking customers, and bypass various behavioral detection countermeasures put in place by multiple banks and financial services. ToxicPanda attacks are financially motivated as the adversary’s main goal is to initiate money transfers from compromised devices via account takeover (ATO) using on-device fraud (ODF). According to Cleafy, over 1500 Android devices were infected and remotely controlled during the ToxicPanda fraud campaign with Italy as its primary hotspot accounting for more than 50% of infected devices.
Based on findings from Cleafy, The threat actors behind this campaign are likely Chinese speakers. It is uncommon for threat actors based in this region to conduct banking fraud operations in Europe and Latin America. This activity marks a shift in primary targets from crypto wallet users to financial institutions. Notes from the codebase imply the adversary is inexperienced in attacking these targets, highlighting the complexity of changing operational environments. Despite this malware sample utilizing TgToxic as a foundational template, the reduced obfuscation techniques and removal of much of TgToxic’s functionality indicates a downgrade in technical sophistication, especially when compared to other modern banking trojans.
ToxicPanda utilizes 3 hard-coded domains for establishing a C2 connection. This malware masquerades as popular apps like Google Chrome and Visa and the initial access vector is counterfeit pages that mimic their app store listings. It is currently unclear how the malicious links are distributed or whether distribution involves malvertising or smishing techniques. Once ToxicPanda is installed via sideloading, Android’s accessibility services are manipulated to perform privilege escalation, capture data, and intercept SMS OTPs to bypass MFA protections. The most worrisome functionality besides ToxicPanda’s information harvesting capabilities is the ability for attackers to gain remote access control and perform ODF.
Security Officer Comments:
The primary objective of ToxicPanda is to facilitate account takeover (ATO) and on-device fraud (ODF). By harvesting sensitive information, intercepting OTPs, and gaining remote access, attackers can initiate unauthorized transactions and drain victims' accounts indicating the adversary’s financial motivation. The emergence of ToxicPanda highlights a shift in threat actor behavior. Chinese-speaking threat actors, traditionally focused on cryptocurrency-related attacks, are now expanding their operations to target traditional financial institutions. This expansion, coupled with the reduced technical sophistication of ToxicPanda while in its early development, suggests a potential increase in crude financially motivated cybercrime activities in the near future. The success of this campaign from utilizing rudimentary features like hardcoded domains and use of uncomplicated lures highlights the challenge of mobile security as IoT devices become more prevalent. The adversary’s willingness to change operational environments underscores their adaptability and scalability when its conducive to their financial gain.
Suggested Corrections:
IOCs for this ToxicPanda fraud campaign are published here.
Mobile Device Security Recommendations
https://thehackernews.com/2024/11/new-android-banking-malware-toxicpanda.html
https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam
Cleafy’s Threat Intelligence team witnessed a significant spike in malicious activity utilizing a new Android malware sample in late October 2024. Initially classified as TgToxic malware, this malware sample was further analyzed and although it has similar bot commands with TgToxic, the code differs greatly in that many TgToxic capabilities are absent and some commands act as placeholders for unimplemented modules, leading Cleafy to classify this malware as a new family called ToxicPanda. ToxicPanda’s remote access capabilities allow the adversary to perform account takeover from the infected device, thus exploiting the On Device Fraud technique commonplace in the modern generation of mobile malware. Adopting a manual approach to performing attacks has several advantages like it requires less skilled developers, TAs can distribute the malware's target base to any banking customers, and bypass various behavioral detection countermeasures put in place by multiple banks and financial services. ToxicPanda attacks are financially motivated as the adversary’s main goal is to initiate money transfers from compromised devices via account takeover (ATO) using on-device fraud (ODF). According to Cleafy, over 1500 Android devices were infected and remotely controlled during the ToxicPanda fraud campaign with Italy as its primary hotspot accounting for more than 50% of infected devices.
Based on findings from Cleafy, The threat actors behind this campaign are likely Chinese speakers. It is uncommon for threat actors based in this region to conduct banking fraud operations in Europe and Latin America. This activity marks a shift in primary targets from crypto wallet users to financial institutions. Notes from the codebase imply the adversary is inexperienced in attacking these targets, highlighting the complexity of changing operational environments. Despite this malware sample utilizing TgToxic as a foundational template, the reduced obfuscation techniques and removal of much of TgToxic’s functionality indicates a downgrade in technical sophistication, especially when compared to other modern banking trojans.
ToxicPanda utilizes 3 hard-coded domains for establishing a C2 connection. This malware masquerades as popular apps like Google Chrome and Visa and the initial access vector is counterfeit pages that mimic their app store listings. It is currently unclear how the malicious links are distributed or whether distribution involves malvertising or smishing techniques. Once ToxicPanda is installed via sideloading, Android’s accessibility services are manipulated to perform privilege escalation, capture data, and intercept SMS OTPs to bypass MFA protections. The most worrisome functionality besides ToxicPanda’s information harvesting capabilities is the ability for attackers to gain remote access control and perform ODF.
Security Officer Comments:
The primary objective of ToxicPanda is to facilitate account takeover (ATO) and on-device fraud (ODF). By harvesting sensitive information, intercepting OTPs, and gaining remote access, attackers can initiate unauthorized transactions and drain victims' accounts indicating the adversary’s financial motivation. The emergence of ToxicPanda highlights a shift in threat actor behavior. Chinese-speaking threat actors, traditionally focused on cryptocurrency-related attacks, are now expanding their operations to target traditional financial institutions. This expansion, coupled with the reduced technical sophistication of ToxicPanda while in its early development, suggests a potential increase in crude financially motivated cybercrime activities in the near future. The success of this campaign from utilizing rudimentary features like hardcoded domains and use of uncomplicated lures highlights the challenge of mobile security as IoT devices become more prevalent. The adversary’s willingness to change operational environments underscores their adaptability and scalability when its conducive to their financial gain.
Suggested Corrections:
IOCs for this ToxicPanda fraud campaign are published here.
Mobile Device Security Recommendations
- Keep your software updated: Only 20 percent of Android devices are running the newest version and only 2.3 percent are on the latest release. Everything from your operating system to your social network apps are potential gateways for hackers to compromise your mobile device. Keeping software up to date ensures the best protection against most mobile security threats.
- Choose mobile security: Just like computers, your mobile devices also need internet security. Make sure to select mobile security software from a trusted provider and keep it up to date.
- Install a firewall: Most mobile phones do not come with any kind of firewall protection. Installing a firewall provides you with much stronger protection against digital threats and allows you to safeguard your online privacy.
- Always use a passcode on your phone: Remember that loss or physical theft of your mobile device can also compromise your information. Download apps from official app stores.
- Both the Google Play and Apple App stores vet the apps they sell: third-party app stores don’t always. Buying from well-known app stores may not ensure you never get a bad app, but it can help reduce your risk.
- Always read the end-user agreement: Before installing an app, read the fine print. Grayware purveyors rely on your not reading their terms of service and allowing their malicious software onto your device.
https://thehackernews.com/2024/11/new-android-banking-malware-toxicpanda.html
https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam