Chinese Trojan Attacks Bank Customers on Android

Executive Summary

On Thursday, November 7, 2024, SecurityWeek reported that the Cleafy Threat Intelligence team had found a new trojan malware nicknamed ToxicPanda [2]. The malware, originally thought to be a different threat named TgToxic, was found after a massive spike in new Android malware that utilized on-device fraud to exploit mobile banking customers [3]. The malware, considered to be basic, used evolved obfuscation techniques, one-time password intercepts, remote control capabilities, and Android’s native accessibility services to get elevated permissions within the system and bypass safety features like two-factor authentication [3]. Once achieving access to the mobile device through social engineering, the malware would then directly transfer up to ten thousand euros at a time, completing the fraud [3]. The malware would try to stay on the device for as long as possible, possibly to recommit the fraud, by obfuscating itself as essential things the user would likely keep like Google Chrome, a credit card app, the system OS itself, dating apps, or even shopping apps [3].  

Background 

Banks have always been hotspots for fraud and theft, and in the world of cyber crimes this has only gotten worse. According to malware analysis, the source code both has no signatures of known APTs and lacks the sophistication of higher-end malware, making this a low-end petty theft/fraud operation meant to primarily obtain money [3]. However, signatures in the code show similarities to previous forms of malware with similar purposes like TgToxic, another Chinese trojan designed to target Android users, making this likely a criminal group [4]. 

Impact

According to botnet analysis from the Cleafy Threat Intelligence team, almost all victims were in Europe, Latin America, and Hong Kong [3]. Approximately 56% of all victims came from Italy with 18.7% and 3.9% coming from Portugal and Spain respectively. Over 1,500 devices were infected with infections still happening as the threat is still ongoing [3]. It is currently unknown how much money has been lost from ordinary citizens around Europe. 

Significance

Understanding basic petty online crime is important as it serves as the basis for other more sophisticated APT attacks in the future. The market for new exploits, vulnerabilities, and zero-days is ever-growing with new hackers and penetration testers finding new ways to steal information and funds. In this case, social engineering remains the main issue when it comes to not only preventing this case of malware but all other forms of exploits as other more traditional forms of hacking become less popular over time. People and companies must remember the basic tenets of preventing social engineering: never open suspicious emails, never open suspicious links, never open suspicious files, always check for authentication before giving away any information to anyone, and in general trust your gut [1]. 

References

[1] Cybersecurity & Infrastructure Security Agency, “Avoiding Social Engineering and Phishing Attacks,” 2021 https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks

[2] Kovacs E., “Android Banking Trojan ToxicPanda Targets Europe,” 2024 https://www.securityweek.com/android-banking-trojan-toxicpanda-targets-europe/ 

[3] Roviello M., Strino A., Valentini F., “ToxicPanda: a new banking trojan from Asian hits Europe and LATAM,” 2024 https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam 

[4] Trend Micro, “TgToxic Malware’s Automated Framework Targets Southeast Asia Android Users,” 2023 https://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html