“ToxicPanda”a banking Trojan that is infecting numerous electronic devices in Europe and Latin America, is spreading very rapidly in Italy, currently the most affected country. The alarm was raised by experts at Cleafy, a company that deals with IT security: the cybercriminals, explains the research team, designed ToxicPanda to bypass the defenses placed to protect banking systems and steal money from the bank accounts of victims.
The malware it falls into the category of modern Remote access trojans (RATs) and allows hackers, thanks to its remote access capabilities, to take control of the profile by exploiting the On Device Fraud technique, i.e. that of fake communications that appear to come from your credit institution . A technique already known in the field of cybersecurity, as it is already used by other famous banking trojans such as Medusa, Copybara or BingoMod.
Cleafy’s Threat Intelligence team identified this malware towards the end of October, when there was a significant spike in infections. Initially, experts were convinced that it was a simple evolution of TgToxican already known infection system, however by observing its characteristics they soon realized that despite having some points in common with the bot commands of that trojan family, “the code diverges significantly from its original source”. ToxicPanda, which is essentially a story in itself, was perfected with the aim of being exploited to carry out financial fraud.
The malware manages to intercept one-time password generated automatically or sent via SMS and to access Android systems by obtaining privileged permissions for total control of the device remotely. Its characteristics allow it to disguise itself with theoretically “secure” apps such as banking ones or Google Chrome, and to carry out transactions that are legitimate to both credit institutions and users. Cybercriminals, quite simply, exploit the technique of sideloadingcreating fake app pages, and tricking users into downloading the trojan without them realizing it. For the moment, Cleafy analysts have identified a mix of well-known brands including Chrome, Visa or decoy icons reminiscent of dating apps.
To date, ToxicPanda has affected more than 1,500 devices, especially in our country, where 56.8% of total infections are accounted for: followed by Portugal (18.7%), Hong Kong (4.6%), Spain (3, 9%) and Peru (3.4%). The Trojan is therefore also rapidly spreading in Latin America and other European countries: for the moment, 16 different banking institutions have been targeted.“According to our findings, the Threat Actors behind this malware campaign are likely native Chinese speakers, similar to those responsible for the original TgToxic”the experts explain.
What is most worrying is the fact that there are still ample opportunities for development:“Based on its source code, ToxicPanda clearly appears to be in an early stage of development, with some commands appearing as ‘placeholders’ without yet having real meaning.
implementation”. The advice is always to always download directly from the safest sites, avoiding downloading third-party apps, and to keep antivirus and device protection systems updated.