Dangerous Android banking malware appears to trick victims with fake money transfers
- ToxicPanda can initiate money transfers and even obtain MFA codes
- The banking Trojan targets consumers in Europe and Latin America
- More than 1,500 devices have already been hacked
A Chinese hacker is targeting Android devices in Europe and Latin America with a banking Trojan that can steal money from victims’ accounts.
A new report from cybersecurity researchers Cleafy says the trojan, ToxicPanda, is quite similar to a piece of older, well-known malware called TgToxic, which was first spotted in 2023. The two have some similarities, although ToxicPanda can be described as a ‘lite’. version, as many features seem to have been stripped down and some left as simple placeholders.
Despite being lighter, ToxicPanda is still a capable piece of malware. It can initiate money transfers, intercept one-time passwords (OTPs) generated via SMS or authenticator apps, and manipulate user input. It can also steal sensitive information from the affected device and capture data from other apps. However, in order to do all that, the app must be given permission to access Android’s accessibility services, which is a common warning sign for Android malware.
Years of campaign
Either way, the malware is usually hidden in fake Chrome, Visa, or 99 Speedmart apps, most likely spread via third-party websites, social media channels, and possibly phishing. The malicious apps cannot be found in any official app repositories (Google Play Store, Samsung’s app store or the like) and researchers are still speculating about how the apps are advertised on the Internet.
So far, the threat actor appears to have infected more than 1,500 Android devices. The majority are in Italy (56.8%) and Portugal (18.7%), with other notable mentions in Hong Kong (4.6%), Spain (3.9%) and Peru (3.4%) . The researchers discovered this information by accessing ToxicPanda’s command-and-control (C2) panel.
The defense mechanisms against these types of attacks remain the same: make sure you only download apps from controlled sources.
Via The hacker news