Dangerous Android banking malware appears to trick victims into fake money transfers

On November 9, 2024By Littum

ToxicPanda can initiate money transfers and even grab MFA codes
The banking trojan targets consumers in Europe and Latin America
More than 1,500 devices have already been compromised

A Chinese hacker is targeting Android devices in Europe and Latin America with a banking Trojan capable of stealing money from victim accounts.

A new report from cybersecurity researchers Cleafy says that the Trojan, ToxicPanda, is quite similar to a piece of older, known malware called TgToxic, which was first discovered in 2023. The two have some similarities, although ToxicPanda can be described as a “lite” version as many features appear to have been removed and some were left as simple placeholders.

Despite being lighter, ToxicPanda is still a capable piece of malware. It can initiate money transfer, intercept one-time passwords (OTPs) generated both via SMS or authentication apps, and manipulate user input. It can also steal sensitive information from the compromised device and capture data from other apps. However, to do all that, the app needs permission to access Android’s accessibility services, which is a normal red flag for Android-borne malware.

Year-long campaign

In any case, the malware is usually hidden in fake Chrome, Visa, or 99 Speedmart apps, likely distributed via third-party websites, social media channels, and possibly phishing. The malicious apps cannot be found on official app repositories (Google Play Store, Samsung’s app store, etc.), and researchers are still speculating about how apps are advertised across the web.

So far, the threat actor appears to have infected more than 1,500 Android devices. The majority are located in Italy (56.8%) and Portugal (18.7%), while other notable mentions are Hong Kong (4.6%), Spain (3.9%) and Peru (3.4%). The researchers discovered this information by accessing ToxicPanda’s command-and-control panel (C2).

Defense mechanisms against these types of attacks remain the same – be careful to only download apps from verified sources.

Via Hacker News