New Android Banking Trojan Named ToxicPanda Identified
/ 4 min read
Quick take - In October 2024, the Cleafy Threat Intelligence team identified a new Android banking Trojan named ToxicPanda, which is linked to a campaign targeting 16 banking institutions primarily in Europe and Latin America, utilizing account takeover techniques and exhibiting early-stage development characteristics.
Fast Facts
- New Malware Family: Cleafy identified a new Android banking Trojan named ToxicPanda, initially linked to the TgToxic family, with significant code differences indicating it is a distinct malware.
- Operational Focus: ToxicPanda targets 16 banking institutions primarily in Italy, Portugal, Spain, and Latin America, suggesting a shift in focus for the threat actors, likely Chinese speakers.
- Infection and Functionality: The malware employs On-Device Fraud (ODF) techniques for account takeover, allowing money transfers of up to 10,000 EUR, but exhibits reduced functionality compared to other banking Trojans.
- Botnet Insights: An active botnet of over 1,500 infected devices was identified, with Italy hosting over 50% of these, highlighting the malware’s significant reach and adaptability.
- Security Implications: The report underscores the need for proactive detection systems to combat emerging threats like ToxicPanda, which utilizes advanced techniques such as accessibility service abuse and remote control capabilities.
New Android Banking Trojan: ToxicPanda Uncovered
In October 2024, the Cleafy Threat Intelligence team uncovered a new Android banking Trojan campaign. Initially, this campaign was linked to the TgToxic banking Trojan family, which has been primarily reported in Southeast Asia. Further analysis revealed significant differences in the code, leading to the identification of a new malware family named ToxicPanda.
Objectives and Capabilities of ToxicPanda
The primary objective of ToxicPanda is to facilitate money transfers from compromised devices. It achieves this through account takeover (ATO) using On-Device Fraud (ODF). ToxicPanda aims to circumvent bank identity verification, authentication measures, and behavioral detection techniques. The source code of ToxicPanda indicates that it is still in the early stages of development, with many commands within the code serving as placeholders. An active botnet was identified, consisting of over 1,500 infected devices spread across Italy, Portugal, Spain, and Latin America, targeting 16 banking institutions.
The threat actors behind this campaign are likely Chinese speakers, similar to those associated with TgToxic. It is unusual for such actors to engage in banking fraud operations targeting Europe and Latin America, suggesting a potential shift in their operational focus.
Distribution and Infection Methods
Cleafy observed a spike in a new Android malware sample in late October 2024, initially classified as TgToxic. While this new sample shares some similarities with TgToxic, it diverges significantly in code and capabilities. ToxicPanda is categorized as part of the modern generation of Remote Access Trojans (RATs) for mobile devices, with remote access capabilities that enable threat actors to conduct ATO directly from infected devices by exploiting ODF techniques.
The botnet’s infrastructure provided telemetry data revealing the extent of the campaign and its geographical distribution. Italy accounts for over 50% of the infected devices, followed by Portugal, Spain, France, and Peru. This distribution indicates a significant reach and adaptability of the ToxicPanda botnet, with a noted shift towards Latin America. The campaign primarily targets retail banking institutions and operates on Android devices, typically involving side-loading through social engineering.
Technical Analysis and Threat Implications
ToxicPanda allows for maximum transfer amounts of up to 10,000 EUR. Despite its capabilities, it exhibits reduced functionality compared to other modern banking Trojans, with many commands poorly implemented or not implemented at all. The malware lacks certain features characteristic of TgToxic, indicating a downgrade in technical sophistication. The shift in targets from cryptocurrency wallets to traditional financial institutions aligns with a broader demographic of bank account holders.
ToxicPanda employs a mix of well-known brand icons and decoy icons to enhance its deceptive capabilities. Key features include accessibility service abuse, remote control capabilities, interception of one-time passwords (OTPs), and the use of obfuscation techniques. However, the developers may encounter challenges due to their unfamiliarity with foreign targets, and stricter regulations in certain countries may also pose obstacles.
The analysis revealed that ToxicPanda shares 61 command names with TgToxic, indicating a possible connection between the two malware families. ToxicPanda introduces 33 new commands, some of which are not yet implemented. The malware relies on three hard-coded domains for communication with its command and control (C2) server, utilizing a handshake request over HTTPS followed by a persistent connection via the WebSocket protocol. AES encryption in ECB mode is used for securing network communications, with a hard-coded encryption key employed.
As the threat posed by ToxicPanda continues to grow, primarily concentrated in Europe with potential expansion into Latin America, its technical simplicity raises concerns about the effectiveness of contemporary antivirus solutions. The report emphasizes the critical need for proactive, real-time detection systems to enhance security against emerging threats like ToxicPanda.
Original Source: Read the Full Article Here
