More than 1,500 Android devices have been infected by a new strain of Android banking malware called ToxicPanda, which allows threat actors to conduct fraudulent banking transactions.

“ToxicPanda’s main goal is to initiate money transfers from compromised devices via account takeover (ATO) using a well-known technique called on-device fraud (ODF),” Cleafy researchers Michele Roviello, Alessandro Strino and Federico Valentini said in an analysis from Monday. .

“It is intended to circumvent bank countermeasures used to enforce user identity verification and authentication, combined with behavioral detection techniques employed by banks to identify suspicious money transfers.”

ToxicPanda is believed to be the work of a Chinese-speaking threat actor, with the malware sharing fundamental similarities with another Android malware called TgToxic, which can steal login credentials and funds from crypto wallets. TgToxic was documented by Trend Micro in early 2023.

The majority of compromises were reported in Italy (56.8%), followed by Portugal (18.7%), Hong Kong (4.6%), Spain (3.9%) and Peru (3.4%) , which is a rare example of a Chinese threat actor orchestrating a fraudulent scheme to attack retail banking users in Europe and Latin America.

The banking Trojan also appears to be in its infancy. Analysis shows it to be a stripped-down version of its ancestor, removing Automatic Transfer System (ATS), Easyclick and obfuscation routines, while also introducing 33 new proprietary commands to collect a wide range of data.

Furthermore, as many as 61 commands have been found to be common to both TgToxic and ToxicPanda, suggesting that the same threat actor or their close relatives are behind the new malware family.

“Although it shares some similarities with the TgToxic family, the code differs significantly from the original source,” the researchers said. “Many capabilities typical of TgToxic are notably missing, and some commands appear as placeholders with no real implementation.”

The malware masquerades as popular apps such as Google Chrome, Visa, and 99 Speedmart and is distributed via spoofed pages that mimic app store listing pages. It is currently unknown how these links are distributed and whether they involve malvertising or smishing techniques.

Once installed via sideloading, ToxicPanda abuses Android’s Accessibility Services to gain elevated privileges, manipulate user input, and capture data from other apps. It can also intercept one-time passwords (OTPs) sent via SMS or generated using authenticator apps, allowing the threat actors to bypass two-factor authentication (2FA) protections and complete fraudulent transactions.

The core functionality of the malware, in addition to its ability to collect information, is to allow attackers to remotely control the affected device and perform so-called ODF, which makes it possible to initiate unauthorized money transfers without the victim’s knowledge.

Cleafy said it was able to access ToxicPanda’s command-and-control (C2) panel, a graphical interface in Chinese that allows its operators to view a list of victim devices, including model information, location and options to remove them. the botnet. In addition, the panel serves as a channel for requesting real-time remote access to each of the devices for performing ODF.

“ToxicPanda needs to demonstrate more advanced and unique capabilities that would complicate its analysis,” the researchers said. “However, artifacts such as log information, dead code, and debug files suggest that the malware is in early stages of development or undergoing extensive code refactoring, especially given its similarities to TgToxic.”

The development comes as a group of researchers from the Georgia Institute of Technology, German International University and Kyung Hee University have developed a backend malware analysis service called DVa – short for Detector of Victim-specific Accessibility – to flag malware that uses accessibility features on Android devices.

“Using dynamic execution traces, DVa further leverages an abuse vector-based symbolic execution strategy to identify and attribute abuse routines to victims,” they said. “Finally, DVa detects (accessibility) enabled persistence mechanisms to understand how malware hinders legal queries or takedown efforts.”

ToxicPanda’s discovery also follows a report from Netcraft that detailed another Android banking malware, HookBot (aka Hook), which also exploits Android’s accessibility services to perform overlay attacks to display fake login pages on top of legitimate banking apps and steal login credentials or others. personal data.

Some of the popular institutions targeted by the malware include Airbnb, Bank of Queensland, Citibank, Coinbase, PayPal, Tesco and Transferwise. In addition to collecting sensitive data, a notable feature of the Trojan is its ability to spread in a worm-like manner by sending links to malware-laden apps via WhatsApp messages.

“HookBot can also record keystrokes and take screenshots to steal sensitive data while the user interacts with their device,” the company said. “It can also intercept text messages, including those used for two-factor authentication (2FA), allowing threat actors to gain full access to victim accounts.”

HookBot is offered for sale on Telegram to other criminal actors under a Malware-as-a-Service (MaaS) model, costing anywhere from $80 for a weekly subscription to $640 for six months. It also comes with a builder that allows customers to generate new malware samples and build dropper apps.

Update

Following the publication of the story, Google shared the statement below with The Hacker News:

Based on our current detection, no apps containing this malware were found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even if those apps come from sources outside of Play.