SafetyDetectives
$ United States dollar
$ United States dollar Euro£ British poundAED UAE dirhamARS Argentine pesoAU$ Australian dollarBGN Bulgarian levR$ Brazilian realCA$ Canadian dollarCHF Swiss francCLP Chilean pesoCN¥ Chinese yuanCOP Colombian pesoCZK Czech korunaDKK Danish kroneEGP Egyptian poundHK$ Hong Kong dollarHUF Hungarian forintIDR Indonesian rupiah Israeli new shekelINR Indian rupee¥ Japanese yen South Korean wonMX$ Mexican pesoMYR Malaysian ringgitNOK Norwegian kroneNZ$ New Zealand dollarPLN Polish złotyRON Romanian leuRUB Russian rubleSAR Saudi riyalSEK Swedish kronaSGD Singapore dollar฿ Thai bahtTRY Turkish liraNT$ New Taiwan dollarUAH Ukrainian hryvnia Vietnamese DongZAR South African rand

Researchers Discover New Banking Malware, ToxicPanda

Tyler Cross
Tyler Cross Senior Writer
Published on: November 6, 2024
Tyler Cross Tyler Cross
Published on: November 6, 2024 Senior Writer

Researchers with Cleafy discovered a new strain of banking malware that targets Android users.

Once infected, it enables hackers to conduct fraudulent banking transactions with the victim’s device. The scheme itself isn’t new — it’s referred to as on-device fraud and it lets hackers conduct illegal transactions from the safety of someone else’s phone.

“It aims to bypass bank countermeasures used to enforce users’ identity verification and authentication, combined with behavioral detection techniques applied by banks to identify suspicious money transfers,” explain Cleafy researchers Michele Roviello, Alessandro Strino, and Federico Valentini.

Over 1,500 devices were infected, with over half of these infections coming from Italy. Portugal, Spain, France, and Peru were also infection hotspots.

“This geographical distribution underscores the ToxicPanda botnet’s significant reach and adaptability. These numbers suggest that the operators are expanding their focus beyond primary European targets, hinting at a potential shift towards Latin America,” the Cleafy report reads.

The maximum amount that was withdrawn from each account is below 10k.

One strange fact is that ToxicPanda seems to be built on the foundation of the old TGToxic malware strain, but it’s less advanced. It lacks both the Automatic Transfer System (ATS) routine and reduced obfuscation routines that its predecessor had. Roviollo, Strino, and Valentini believe that points to the hackers not having experience working with foreign targets.

They also note that the hackers responsible for the attack spoke Chinese. It’s uncommon for threat actors from this region to launch wide-scale on-device banking fraud in countries like Italy and France.

“More broadly, we observe a marked shift as Chinese-speaking TAs expand their focus into new geographical regions, especially targeting financial institutions and customers in pursuit of banking fraud opportunities,” they explain.

“This trend underscores the mobile security ecosystem’s escalating challenge, as the marketplace is increasingly saturated with malware and new threat actors emerge.”

About the Author
Tyler Cross
Tyler Cross
Senior Writer
Published on: November 6, 2024

About the Author

Tyler is a writer at SafetyDetectives with a passion for researching all things tech and cybersecurity. Prior to joining the SafetyDetectives team, he worked with cybersecurity products hands-on for more than five years, including password managers, antiviruses, and VPNs and learned everything about their use cases and function. When he isn't working as a "SafetyDetective", he enjoys studying history, researching investment opportunities, writing novels, and playing Dungeons and Dragons with friends.

Leave a Comment