Clicky

Monday, November 11, 2024

2024-11-04 ToxicPanda Android Banking Trojan samples

2024-11-04 Cleafy: ToxicPanda: a new banking trojan from Asia hit Europe and LATAM

ToxicPanda is an Android banking trojan targeting Europe and Latin America, identified in October 2024 and derived from the TgToxic family. Unlike TgToxic, ToxicPanda lacks advanced obfuscation and an Automatic Transfer System (ATS), relying instead on Android’s Accessibility Service to perform On-Device Fraud (ODF) by simulating legitimate user interactions. This allows it to take over accounts (ATO) on banking apps, bypassing anti-fraud measures and intercepting One-Time Passwords (OTPs) via SMS and authenticator apps.

The malware’s Command and Control (C2) infrastructure includes three hard-coded domains accessed via HTTPS with AES ECB encryption, establishing a persistent WebSocket session for real-time device control. ToxicPanda’s command set includes 61 commands inherited from TgToxic and 33 unique commands, some of which are unimplemented, suggesting early-stage development. Key commands allow for screen capture, privilege escalation, and blocking access to security apps on specific Android devices (e.g., Samsung, Xiaomi).

Access to ToxicPanda’s C2 panel revealed its botnet management capabilities, tracking over 1500 infected devices primarily in Italy and Portugal. Operators control infected devices in real-time, issuing commands for fraud operations, while the malware collects sensitive data like screenshots for further exploitation. Despite its straightforward design, ToxicPanda’s use of Accessibility Service abuse and device control positions it as a serious threat to financial institutions, leveraging scalable, device-level attacks for high-impact fraud.

Read more »
0 comments

Monday, September 9, 2024

2024-09-05 SPYAGENT Android Malware Stealing Crypto Credentials via Image Recognition / OCR Samples

 


2024-09-05 McAfee New Android SpyAgent Campaign Steals Crypto Credentials via Image Recognition 

McAfee Labs' analysis of the "SpyAgent" Android malware revealed a sophisticated use of Optical Character Recognition (OCR) for extracting sensitive information, particularly mnemonic keys for cryptocurrency wallets.

The malware captures images stored on infected devices and uploads them to a remote Command and Control (C2) server.

Server-side OCR processes these images to extract text, specifically targeting mnemonic recovery phrases. This extracted data is critical for accessing and potentially stealing cryptocurrency assets.

Once the OCR extracts the text, the information is organized and managed through an administrative panel on the C2 server. This indicates a high level of sophistication in handling the stolen data, allowing attackers to efficiently process and utilize the extracted information.

Download


Read more »
0 comments

Monday, September 2, 2024

2024-08-05 Android CHAMELEON Samples



2024-08-05 Chameleon is now targeting employees: Masquerading as a CRM app 

2023-12-23 Android Banking Trojan Chameleon can now bypass any Biometric Authentication

Canada (July 2024): Chameleon disguised itself as a Customer Relationship Management (CRM) app, specifically targeting employees of a Canadian restaurant chain that operates internationally. The aim was to infiltrate business banking accounts by exploiting the employees' roles, which likely involve handling sensitive financial information through CRM systems.

    • UK and Italy (January 2023): The Trojan impersonated legitimate applications such as Google Chrome and government-related apps to deceive users and infiltrate their devices. This tactic significantly increases the likelihood of successful infections by leveraging the trust users place in these widely recognized apps.

  • Payload Delivery and Exploitation:

    • Multi-Stage Process: In the July 2024 campaign, Chameleon used a dropper capable of bypassing Android 13+ security restrictions. The dropper tricked users into reinstalling a fake CRM app, which secretly deployed the Chameleon payload, allowing it to operate unnoticed.
    • Zombinder Framework: In the January 2023 campaign, Chameleon was distributed via the Zombinder framework, which deployed both Chameleon and Hook malware families through a sophisticated two-stage payload process. This method utilized Android’s PackageInstaller to facilitate the installation of malicious components.

  • Advanced Features and Exploitation Techniques:

    • Accessibility Service Exploitation: Chameleon leverages the Accessibility Service on Android devices to carry out Device Takeover (DTO) attacks. This service is crucial for the Trojan's ability to log keystrokes, harvest credentials, and execute commands that allow it to control the device remotely.
    • Bypassing Android 13 Restrictions: The Trojan adapts to the latest Android 13 restrictions by displaying HTML pages that guide users to enable the Accessibility Service, thereby circumventing security features designed to block such malware.
    • Biometric Disruption: A new feature in the updated variant allows Chameleon to bypass biometric authentication, forcing a fallback to PIN-based authentication. This enables the malware to capture PINs and passwords, which it can use to unlock the device and further exploit the victim's data


    • Download

    Read more »
    0 comments
    Subscribe to: Posts (Atom)