Analysis Summary

The newly identified ToxicPanda malware is a potent Android banking trojan capable of conducting unauthorized banking transactions via account takeovers (ATO). Its primary focus is on enabling on-device fraud (ODF) to bypass security measures implemented by banks, such as identity verification and behavioral detection, thereby allowing fraudulent money transfers from compromised devices.

According to the researchers, the malware is believed to originate from a Chinese-speaking threat actor. It shares technical foundations with another Android malware strain, TgToxic, which was documented in early 2023. Unlike TgToxic, ToxicPanda lacks features such as the Automatic Transfer System (ATS) and certain obfuscation techniques. Instead, it incorporates 33 new commands, making it a unique and evolving malware variant.

ToxicPanda's impact has been substantial, with over 1,500 devices compromised. Most infections have been reported in Italy (56.8%), Portugal (18.7%), Hong Kong (4.6%), Spain (3.9%), and Peru (3.4%), representing a unique instance of a Chinese actor targeting retail banking users in Europe and Latin America. Although some capabilities and commands are consistent with TgToxic, the malware’s structure is notably distinct, suggesting extensive refactoring or an early-stage evolution. Additionally, the existence of placeholder commands and logging artifacts suggests that ToxicPanda might still be under development with the operators possibly refining the malware’s code.

The malware operates by disguising itself as legitimate apps like Google Chrome, Visa, and 99 Speedmart, which are distributed through fake app store pages. It requires sideloading for installation and abuses Android’s accessibility services to gain high-level permissions, manipulate user inputs, and gather sensitive information from other apps.

ToxicPanda can intercept SMS or app-generated one-time passwords (OTPs), helping threat actors bypass two-factor authentication (2FA) and perform ODF-based unauthorized transfers. A unique feature of ToxicPanda is its command-and-control (C2) panel, presented in Chinese which enables operators to monitor victim device details like model and location and facilitates real-time remote access for conducting fraud.

Research from the Georgia Institute of Technology and partner universities has highlighted the broader issue of accessibility abuse by Android malware. They introduced a tool called DVA (Detector of Victim-specific Accessibility), which uses dynamic traces and symbolic execution strategies to identify malware that exploits Android's accessibility services for persistence and defense evasion. This tool enhances the ability to identify accessibility-based malware addressing the specific challenges associated with detecting and removing threats like ToxicPanda.

Impact

• Sensitive Information Theft
• Unauthorized Access
• Financial Loss
• Security Bypass

Indicators of Compromise

SHA1

• 9730491a85455b4fc005582751e554ba1dac7a6e
• dba76029847dce4aa71d0e48bdf7cfe7e0174f35
• 87486ddaf16cad28976840ddab1021d3b2035b24
• 526d4db2c11f33d24ca4ec727ac119c677e46b52

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
• Conduct regular security awareness training for users to recognize and avoid phishing emails.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Implement network segmentation to limit lateral movement within the network.
• Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
• Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
• Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
• Regularly back up critical data and ensure that the backup copies are stored securely.