New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers

A dangerous new Android banking malware, dubbed ToxicPanda, has infected over 1,500 devices by bypassing security measures and exploiting Android’s accessibility features to facilitate fraudulent money transfers. With roots in the TgToxic malware, ToxicPanda is suspected to be the work of a Chinese-speaking threat actor targeting bank customers in Europe and Latin America.

  • ToxicPanda Overview: An advanced banking trojan infecting Android devices to facilitate unauthorized bank transfers through account takeover (ATO) and on-device fraud (ODF).
  • Techniques & Distribution: Bypasses two-factor authentication (2FA) by intercepting SMS or authenticator app OTPs, masquerades as apps like Google Chrome and Visa, and installs via fake app pages.
  • Global Reach: Primarily impacts users in Italy, Portugal, Hong Kong, Spain, and Peru, marking a rare cross-continental fraud operation by a suspected Chinese threat actor.
  • Cleafy Findings: Researchers accessed ToxicPanda’s command-and-control (C2) panel, uncovering Chinese language controls for remote access to infected devices and further ODF activities.
  • Development Stage: Evidence of debugging files and dead code suggests ToxicPanda may be in early development or undergoing significant revisions.
  • Future Implications: Highlights increased risks of Android accessibility features misuse in malware, sparking further research on detection tools like DVa.

ToxicPanda exemplifies the growing sophistication in Android-targeted malware, capable of bypassing 2FA and using real-time device manipulation to commit fraud. As attackers refine such tools, the risk to banking app users rises, reinforcing the importance of comprehensive mobile security solutions and careful app permissions management. Stay protected with robust security tools and stay alert to avoid suspicious app downloads.