A new Android malware, called ToxicPanda, made its debut in late October 2024 and was initially associated with the TgToxic family due to similarities in bot commands. However, a thorough examination by Cleafy’s Threat Intelligence team uncovered significant differences in the code, leading to its reclassification as a separate threat.

In contrast to TgToxic, ToxicPanda lacks certain advanced functionalities like the Automatic Transfer System (ATS), indicating a decrease in technical complexity. Nevertheless, it presents a notable danger due to its capability to facilitate account takeovers (ATO) through on-device fraud (ODF) on compromised devices.

Geographically, ToxicPanda primarily targets retail banking services on Android devices and has been detected in Italy, Portugal, Spain, and several Latin American regions, with Italy being the most heavily affected. More than 1500 devices have fallen victim to this malware campaign, enabling cybercriminals to remotely control infected devices, intercept one-time passwords, and bypass two-factor authentication protocols.

Interestingly, Cleafy’s research suggests that the individuals behind ToxicPanda are likely fluent in Chinese, a unique characteristic given the traditional focus of Chinese-speaking hacker groups on targets outside of European banking institutions.

The propagation of this malware appears to rely on social engineering techniques to persuade users to install the app manually. Once operational, ToxicPanda exploits Android’s accessibility features to elevate its permissions, allowing it to pilfer sensitive information and execute unauthorized activities. Accessing ToxicPanda’s command-and-control (C2) infrastructure provided Cleafy researchers with insights into the malware’s operational tactics, revealing a blend of new and placeholder commands inherited from the TgToxic lineage.

The absence of obfuscation methods and debugging remnants indicates that ToxicPanda is still in its developmental stages and may undergo further alterations. By taking advantage of regional connections and evading security protocols like the Payment Services Directive (PSD2), ToxicPanda underscores the mounting challenges in mobile banking security as malicious actors refine their strategies and expand their targets.

Cleafy emphasized the growing prominence of the threat posed by ToxicPanda, raising concerns about the inadequacy of contemporary antivirus solutions in detecting such relatively straightforward threats. The lack of proactive, real-time detection systems was identified as a critical issue in combating evolving malware like ToxicPanda.

In conclusion, the emergence of ToxicPanda highlights the evolving landscape of mobile banking security threats and the pressing need for robust defense mechanisms to safeguard against increasingly sophisticated cyber threats. The identification and mitigation of such malicious activities remain essential in ensuring the protection of sensitive financial data and enhancing overall cybersecurity measures in the digital age.

Lidhja e burimit