Security
Headlines
HeadlinesLatestCVEs

Headline

Android Botnet 'ToxicPanda' Bashes Banks Across Europe, Latin America

Chinese-speaking adversaries are using a fresh Android banking Trojan to take over devices and initiate fraudulent money transfers from financial institutions across Latin America, Italy, Portugal, and Spain.

DARKReading
#vulnerability#android#google#botnet#auth

Source: Oneinchpunch via Alamy Stock Photo

Researchers have designated a new botnet on the scene — initially suspected to be a part of the Toxic banking Trojan family — as a whole new spinoff strain with its own moniker, ToxicPanda.

The ToxicPanda banking bot has turned up on at least 1,500 individual devices across Italy, Portugal, Spain, and Latin America, actively trying to steal money from at least 16 different financial institutions, according to new findings from Cleafy. The Chinese-speaking threat actors behind ToxicPanda deploy the malware to take over a targeted device and initiate scam money transfers, bypassing the banks’ identity and authentication protections, the Cleafy team warned.

“Remote access capabilities allow threat actors to conduct account takeover (ATO) directly from the infected device, thus exploiting the on-device Fraud (ODF) technique,” the Cleafy report explained. “This consolidation of this technique has already been seen by other banking Trojans, such as Medusa, Copybara, and, recently, BingoMod.”

This stripped-down, manual approach to the Android banking Trojan gives the threat actors the advantage of not having to use highly skilled developers, it opens up the potential to victimize a wider swath of banking customers, and it bypasses many cybersecurity protections used by financial services and banks, the researchers noted.

Importantly, code analysis uncovered that ToxicPanda is in the early stages of development. But that doesn’t mean it doesn’t already have an impressive set of features, including the ability to exploit Android’s accessibility services to escalate permissions, and capturing data from applications, the Cleafy team noted.

Further, ToxicPanda allows the threat actor to gain remote control of the infected device and initiate actions like money transfers without the users’ knowledge. The banking Trojan also intercepts one-time passwords sent either by text or authenticator app, completely dismantling multifactor authentication protections. Finally, ToxicPanda is loaded with code-hiding tricks to avoid detection.

The ramp up of ToxicPanda indicates Chinese-speaking threat actors are beefing up their operations to expand into new territory outside its traditional Southeast Asian roots, the report warns.

“This trend underscores the mobile security ecosystem’s escalating challenge, as the marketplace is increasingly saturated with malware and new threat actors emerge,” Cleafy’s report said. “An important question arising from this analysis is not just how to defend against threats like ToxicPanda but why contemporary antivirus solutions have struggled to detect a threat that is, in technical terms, relatively straightforward. Although there is no single answer, the lack of proactive, real-time detection systems is a primary issue.”

Google Patches Two Actively Exploited Android Flaws

As Chinese-speaking groups look to gain initial access to devices, they often leverage Android vulnerabilities in wide-scale attacks.

Fittingly, on Nov. 4, Google released patches for dozens of Android vulnerabilities as part of November’s update, among them, two that already have been exploited, CVE-2024-43047 and CVE-2024-43093. Although Google has not released details, the first was discovered by Amnesty International and Google’s Threat Analysis Group, which are well known for tracking commercial spyware activities. The second is a high-severity privilege escalation flaw in Android’s framework.

Beyond disclosing the flaws, which “may be under limited, targeted exploitation,” Google has not provided additional details.

Don’t miss the latest Dark Reading Confidential podcast, where we talk about NIST’s post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

Related news

CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical security flaw impacting Palo Alto Networks Expedition to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2024-5910 (CVSS score: 9.3), concerns a case of missing authentication in the Expedition migration tool that

Update your Android: Google patches two zero-day vulnerabilities

Google has released patches for two zero-days and a lot of other high level vulnerabilities.

Update your Android: Google patches two zero-day vulnerabilities

Google has released patches for two zero-days and a lot of other high level vulnerabilities.

Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System

Google has warned that a security flaw impacting its Android operating system has come under active exploitation in the wild. The vulnerability, tracked as CVE-2024-43093, has been described as a privilege escalation flaw in the Android Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories and its sub-directories,

Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System

Google has warned that a security flaw impacting its Android operating system has come under active exploitation in the wild. The vulnerability, tracked as CVE-2024-43093, has been described as a privilege escalation flaw in the Android Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories and its sub-directories,

What I’ve learned in my first 7-ish years in cybersecurity

Plus, a zero-day vulnerability in Qualcomm chips, exposed health care devices, and the latest on the Salt Typhoon threat actor.

Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits

Qualcomm has rolled out security updates to address nearly two dozen flaws spanning proprietary and open-source components, including one that has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2024-43047 (CVSS score: 7.8), has been described as a user-after-free bug in the Digital Signal Processor (DSP) Service that could lead to "memory corruption

DARKReading: Latest News

Non-Human Identities Gain Momentum, Requires Both Management, Security