ToxicPanda Android Botnet Attacks Banks in Europe and Latin America

November 5, 2024

A new Android banking Trojan known as ToxicPanda has been discovered attacking financial institutions across Latin America and Europe. The Trojan, believed to be a new strain of the Toxic banking Trojan family, has been found on at least 1,500 individual devices across Italy, Portugal, Spain, and Latin America, actively attempting to steal money from at least 16 different banks, according to Cleafy's findings. The Chinese-speaking threat actors behind ToxicPanda use the malware to take over a targeted device and initiate fraudulent money transfers, bypassing the banks' identity and authentication protections.

The Cleafy team warned, 'Remote access capabilities allow threat actors to conduct account takeover (ATO) directly from the infected device, thus exploiting the on-device Fraud (ODF) technique.' Similar techniques have been observed in other banking Trojans such as Medusa, Copybara, and BingoMod.

The stripped-down, manual approach to the Android banking Trojan gives the threat actors the advantage of not needing highly skilled developers, allows for a wider range of banking customers to be victimized, and bypasses many cybersecurity protections used by banks and financial services.

Code analysis revealed that ToxicPanda is still in its early stages of development but already boasts a significant set of features. These include the ability to exploit Android's accessibility services to escalate permissions, capturing data from applications, and gaining remote control of the infected device to initiate actions like money transfers without the users' knowledge. The Trojan can also intercept one-time passwords sent either by text or authenticator app, effectively dismantling multifactor authentication protections.

ToxicPanda employs code-hiding tricks to evade detection. The increase in ToxicPanda activity suggests that Chinese-speaking threat actors are expanding their operations into new territories beyond their traditional Southeast Asian roots.

The report from Cleafy also highlighted the growing challenge of the mobile security ecosystem, as the market is increasingly saturated with malware and new threat actors emerge. The report posed the question of why current antivirus solutions have struggled to detect a threat like ToxicPanda that is, in technical terms, relatively straightforward. The lack of proactive, real-time detection systems is identified as a primary issue.

As Chinese-speaking groups look to gain initial access to devices, they often exploit Android vulnerabilities in large-scale attacks. On November 4, Google released patches for several Android vulnerabilities, including CVE-2024-43047 and CVE-2024-43093, which have already been exploited. The first was discovered by Amnesty International and Google's Threat Analysis Group, known for tracking commercial spyware activities, while the second is a high-severity privilege escalation flaw in Android's framework. Google has not yet provided additional details about these vulnerabilities.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.