Dangerous Android banking malware attempts to deceive victims with fake money transfers

by Junna Base November 9, 2024

ToxicPanda can initiate money transfers and even retrieve MFA codes
The banking Trojan targets consumers in Europe and Latin America
More than 1,500 devices already compromised

A Chinese hacker is targeting Android devices in Europe and Latin America with a banking Trojan capable of stealing money from victims’ accounts.

According to a new report from cybersecurity researcher Cleafy, the ToxicPanda Trojan is similar to an older, well-known malware called TgToxic, which was first discovered in 2023. The two share some similarities, although ToxicPanda can be described as “lite”. version, as many features appear to have been slimmed down and some have been left as simple placeholders.

Although ToxicPanda is lighter, it is still a powerful malware. It can initiate money transfers, intercept one-time passwords (OTPs) generated via both SMS and authentication apps, and manipulate user input. It can also steal sensitive information from the compromised device and collect data from other apps. However, in order to do all of this, the app must be granted permission to access Android’s accessibility services, which is a common red flag for Android malware.

Year-long campaign

In any case, the malware is usually hidden in fake Chrome, Visa or 99 Speedmart apps and is most likely spread via third-party websites, social media channels and possibly through phishing. The malicious apps cannot be found in official app repositories (Google Play Store, Samsung’s App Store, etc.) and researchers are still speculating about how the apps are promoted on the web.

So far, the threat actor appears to have infected more than 1,500 Android devices. The majority are in Italy (56.8%) and Portugal (18.7%), with other notable mentions including Hong Kong (4.6%), Spain (3.9%) and Peru (3.4%). The researchers discovered this information by accessing ToxicPanda’s command and control panel (C2).

The defenses against these types of attacks remain the same – be sure to only download apps from verified sources.

Over The Hacker News