Crime & Justice

Chinese-linked Trojan horse empties Latin American, European bank accounts

A Chinese scam is tricking users into downloading fake apps via counterfeit websites, bypassing security measures and stealing banking details once installed.

This illustration shows apps for Google, Amazon, Facebook and Apple with a reflection of binary code displayed on a tablet screen. [Lionel Bonaventure/AFP]
This illustration shows apps for Google, Amazon, Facebook and Apple with a reflection of binary code displayed on a tablet screen. [Lionel Bonaventure/AFP]

By John Caicedo |

LIMA -- A newly discovered banking Trojan horse, believed to have originated in China, is rapidly spreading across Peru and other Latin American countries, targeting Android users and compromising their bank accounts.

ToxicPanda, a malicious program designed to steal banking information and funds, has primarily spread across Europe, but its presence has also been detected in several Latin American countries.

More than 1,500 devices have been compromised across Europe and Latin America as of November, the Cleafy cybersecurity firm's Threat Intelligence team revealed in a November 4 report.

ToxicPanda at work

"ToxicPanda's main goal is to initiate money transfers from compromised devices via account takeover (ATO) using a well-known technique called On-Device fraud (ODF)," according to the report.

Aggregated data, shown in the map above, highlights the targeting pattern of ToxicPanda and the geographic distribution of victims. [Cleafy Threat Intelligence team]
Aggregated data, shown in the map above, highlights the targeting pattern of ToxicPanda and the geographic distribution of victims. [Cleafy Threat Intelligence team]

The malware primarily spreads through the download of applications from unofficial sources, a practice known as "sideloading."

It employs counterfeit websites to deceive users into downloading and installing seemingly legitimate apps, effectively bypassing standard security protections.

Once the fake application is installed, it harvests banking information when the victim enters his or her credentials.

The Trojan horse is still in its early stages of development, says Cleafy.

Suspected Chinese culprits

The perpetrators, suspected of being Chinese speakers, reportedly gain direct access to bank accounts through compromised smartphones.

"One notable characteristic of this malware, which aligns with practices commonly observed among Chinese-speaking developers, is its capability to access phone albums, convert images ... and transmit them back to the command and control (C2) server," stated the report.

Although this technique is not entirely novel -- previously observed in malware such as TrickMo -- it marks "a notable method for extracting potentially sensitive information (e.g., screenshots of login credentials or virtual cards) from user devices," it added.

Cleafy analyzed the malware files and identified a hardcoded Domain Name System (DNS) server, specifically a free public Chinese DNS server known as 114DNS.

"Its use in malware or suspicious configurations can indicate a connection between the threat actors and China," the report added.

Italy has been the hardest hit by this banking scam, accounting for 56.8% of the more than 1,500 infected devices. It is followed by Portugal (18.7%), Hong Kong (4.6%), Spain (3.9%) and Peru (3.4%).

Additional cases have been reported in Chile and Argentina.

Do you like this article?

Captcha *