November 5, 2024 at 07:57AM
A new Android banking malware, ToxicPanda, has infected over 1,500 devices, primarily in Italy. It conducts fraudulent transactions via account takeover and bypasses identity verification. The malware is believed to be linked to a Chinese threat actor and shares similarities with an earlier malware, TgToxic. It targets users through counterfeit app listings.
### Meeting Takeaways on ToxicPanda Malware Analysis
1. **Overview of ToxicPanda**:
– A new Android banking malware, ToxicPanda, has infected over 1,500 devices.
– The primary goal is to conduct fraudulent banking transactions through account takeover (ATO).
2. **Operational Techniques**:
– ToxicPanda utilizes on-device fraud (ODF) to bypass bank identity verification and detection techniques.
– The malware has foundational similarities with another malware, TgToxic, which targets crypto wallets.
3. **Geographical Impact**:
– Major compromises reported in:
– Italy (56.8%)
– Portugal (18.7%)
– Hong Kong (4.6%)
– Spain (3.9%)
– Peru (3.4%)
– This highlights the unusual targeting of retail banking users in Europe and Latin America by a Chinese threat actor.
4. **Malware Characteristics**:
– ToxicPanda appears to be an initial version, with fewer features compared to TgToxic.
– It lacks several advanced capabilities of TgToxic and includes a new set of 33 commands.
5. **Distribution Method**:
– Distributed via counterfeit app store listings, masquerading as popular apps like Google Chrome and Visa.
– It’s unclear how these malicious links are spread (malvertising or smishing).
6. **Functionality**:
– The malware can manipulate user inputs, capture data, and intercept OTPs to bypass two-factor authentication (2FA).
– It allows attackers remote control of compromised devices to carry out unauthorized transactions.
7. **Command-and-Control (C2) Panel**:
– Cleafy accessed ToxicPanda’s C2 panel, which provides insights into victim devices.
– It is operated through a graphical interface in Chinese, enabling real-time access requests to victim devices.
8. **Development Stage**:
– Current analysis suggests ToxicPanda may be in early development or undergoing significant code changes.
– Artifacts indicate a need for more unique capabilities for evasion.
9. **Research Contributions**:
– A new malware analysis service called DVa has been developed to detect abuses of Android’s accessibility features.
10. **Call to Action**:
– Stay informed of further developments on malware threats by following relevant channels on social media.
These takeaways summarize the crucial aspects of the ToxicPanda malware, highlighting its methodology, impact, and ongoing research efforts to combat such threats.