TO October 2024the team of Cleafya well-known company that works in the development of cybersecurity solutions, has identified a new and dangerous malware for Android devices called ToxicPandaa threat that steals money from users’ bank accounts by circumventing their banks’ security measures to make unauthorized withdrawals. In this case it is a trojan RAT (Remote Access Trojan), meaning it allows attackers to take control of the infected device remotelywith the possibility of perform operations without the user realizing it. The investigation conducted by Cleafy led to the identification of a botnet with over 1500 infected devices in Italy, Portugal, Spain and Latin America, which targeted 16 banking institutions. To defend yourself from this malware, you must only install apps from verified sources (such as the Google Play Store) and keep your phone’s operating system updated by installing the latest security patches available.
What ToxicPanda can do and why it is dangerous
ToxicPanda is distinguished by a dangerous ability to adapt: in fact, it can abuse accessibility services of your Android device for obtain elevated permissions And manipulate interactions with other apps. This allows him, for example, to intercept passwords disposable, the so-called OTP (One Time Password), commonly used for completing various banking operations, such as arranging bank transfers, purchasing financial instruments, etc. In an official note, in fact, the team of Cleafy explains:
ToxicPanda’s primary goal is to initiate money movements from compromised devices via account takeover (ATO) using a well-known technique called On-Device Fraud (ODF). It aims to bypass banking countermeasures used to enforce user identity verification and authentication, combined with behavioral detection techniques applied by banks to identify suspicious money transfers.
Cleafy found that the infection campaign has hit Italy hardwhere over half of the infected devices are located (56.8%), followed by countries such as Spain, Portugal, France and Peru. This suggests a geographic expansion of the malware targeting new territories, such as Latin America, in addition to Europe.
How ToxicPanda propagates and why it is difficult to detect it
Malware propagates based on code obfuscation techniquesmaking it difficult for antivirus to detect. In fact, it uses strategies that make it difficult for researchers to identify its functions with any certainty, since it masks its code and hides among the apps on your device. To support the deception, cybercriminals have used deceptive icons, such as those of Google Chrome or dating apps, to confuse users and increase the chances of installation.
ToxicPanda’s strength lies in its operational simplicity: uses remote control tools to carry out direct banking operations, avoiding requiring the involvement of highly qualified developers. This approach allows attackers to reduce costs and broaden the range of potentially affected users, since any banking customer could become a victim of the malware. Furthermore, authorities and banks’ anti-fraud teams find it difficult to detect these attacks, as the operations start directly from the victim’s device, bypassing traditional behavioral security countermeasures.
An interesting feature of the malware is the ability to access phone photo albums and to transmit the images to the command and control server (C2), after converting them to BASE64 format. This technique, already observed with other malware such as TrickMo, allows criminals to collect sensitive data, such as screenshots of login credentials or virtual cards, increasing the amount of information potentially exploitable to the detriment of unfortunate victims.
How to defend yourself from ToxicPanda
For defend yourself from ToxicPanda It is essential to adopt some precautions, which we list below.
- Install apps only from verified sources: if possible, install the applications only from the Play Store, from the Huawei AppGallery or, in any case, from the official store available on your device. Furthermore, be wary of apps that ask for unusual permissions, such as access to accessibility services.
- Update your operating system: Security patches that are released by your phone’s manufacturer sometimes contain fixes for security flaws.
- Use two-factor authentication: While ToxicPanda can technically intercept OTP codes, make sure you have two-factor authentication (2FA) enabled on all services that support it to add an extra layer of security to your accounts.