Introduction
ToxicPanda is a newly identified strain of Android banking malware [1] [3], distinct from its predecessor, the TgToxic family [2] [4], due to significant code differences [2]. As of October 2024, it has infected over 1,500 devices [1] [3], primarily targeting users in Italy [3], Portugal [3] [5], Spain [3] [4] [5], and Latin America [3] [4] [5], focusing on at least 16 different banks. Its main objective is to facilitate account takeover through on-device fraud [1], bypassing bank security measures [1] [3] [4].
Description
ToxicPanda provides attackers with remote access capabilities over compromised devices, enabling them to initiate unauthorized money transfers and alter account settings without the victims’ awareness. The malware exploits Android’s accessibility services to escalate permissions [3] [5], allowing it to capture data from applications, including intercepting one-time passwords (OTPs) sent via text or authenticator apps [5], thereby undermining multifactor authentication measures [5]. Additionally, ToxicPanda employs advanced obfuscation techniques to evade detection [3], significantly enhancing its threat level in the realm of banking fraud.
While ToxicPanda exhibits significant similarities to the TgToxic trojan family [3], sharing 61 command names and introducing 33 new commands—some of which are not fully implemented—it lacks advanced features such as the Automatic Transfer System (ATS), indicating a lower level of technical sophistication compared to TgToxic [2]. The threat actors behind ToxicPanda are believed to be Chinese speakers [4], similar to those associated with TgToxic [4], and their operations are expanding beyond traditional targets in Europe to include regions like Latin America [4], with specific activity noted in Italy, which accounts for 56.8% of infections [3], followed by Portugal (18.7%) and emerging targets in Asia [3], such as Hong Kong (4.6%) [3]. This shift indicates a potential change in the operational focus of these threat actors [4], further underscoring the evolving landscape of banking malware threats and the growing challenges within mobile security. The difficulty in detecting such threats is attributed to the lack of proactive [5], real-time detection systems in contemporary antivirus solutions [5], as ToxicPanda connects to its Command and Control (C2) server through three hard-coded domains and lacks dynamic techniques like Domain Generation Algorithms (DGA) [3], relying instead on static domains [3].
Conclusion
The emergence of ToxicPanda highlights the evolving threat landscape in mobile banking security. Its ability to bypass multifactor authentication and evade detection poses significant challenges. To mitigate these threats, there is a need for enhanced real-time detection systems in antivirus solutions. As threat actors expand their operations geographically, it is crucial for financial institutions and users to remain vigilant and adopt robust security measures to protect against such sophisticated malware.
References
[1] https://thehackernews.com/2024/11/new-android-banking-malware-toxicpanda.html
[2] https://www.infosecurity-magazine.com/news/toxicpanda-malware-banking-android/
[3] https://securityaffairs.com/170605/malware/toxicpanda-android-malware-targets-italy.html
[4] https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam
[5] https://www.darkreading.com/application-security/android-botnet-toxicpanda-bashes-banks-europe-latin-america
