New Android Malware 'ToxicPanda' Targets Banking Users with Fraudulent Transfers

A new Android banking malware named ToxicPanda has infected over 1,500 devices, enabling attackers to carry out fraudulent banking transactions by taking over accounts. ToxicPanda primarily relies on on-device fraud (ODF) tactics to bypass bank security measures, according to Cleafy researchers. Believed to originate from a Chinese-speaking threat actor, the malware shows similarities to another Android trojan, TgToxic, which was first reported in early 2023. ToxicPanda has primarily affected users in Italy, Portugal, Hong Kong, Spain, and Peru, with most infections concentrated in Europe and Latin America. This banking trojan has fewer features than its predecessor, lacking Automatic Transfer System (ATS) and other obfuscation methods, though it includes 33 new commands for expanded data collection. It spreads by disguising itself as legitimate apps like Google Chrome and Visa, often shared via counterfeit app store pages. Once installed, ToxicPanda leverages Android’s accessibility services to intercept OTPs and bypass two-factor authentication (2FA), allowing for unauthorized transfers without the victim’s knowledge. Cleafy researchers also gained access to its command-and-control (C2) panel, which allows attackers to monitor and control infected devices in real-time. Read more...