ToxicPanda Android Trojan Infects More Than 1,500 Phones and Targets 16 Banks

ToxicPanda – a banking Trojan believed to be in early stages of development – ​​has been discovered by security researchers in Europe and Latin America. It is believed to originate from another banking Trojan detected in 2023, and is used to remotely take over accounts on compromised phones, allowing attackers to transfer funds while bypassing security measures aimed at stopping suspicious transactions. ToxicPanda was reportedly found on more than 1,500 devices while targeting users from 16 banking institutions.

Researchers from Cleafy’s Threat Intelligence detected a new Android malware in October that they previously discovered as TgToxic, another banking Trojan actively used in Southeast Asia and identified by the group last year. The researchers found that the new sample did not contain TgToxic capabilities and that the code was not comparable to the original trojan.

The ToxicPanda Trojan is disguised as popular applications
Photo credit: Cleafy

As a result, the researchers started tracking the newly detected remote access trojan (RAT) as ToxicPanda and warn that the malware can lead to account takeover (ATO) after a victim’s device is infected. Cleafy’s Threat Intelligence team also says that by opting for manual distribution (sideloading, the use of social engineering), threat actors (TA) can bypass a bank’s security measures used to keep users safe.

To gain access to almost all information on a user’s device, the malware uses the Accessibility Service on Android, allowing it to capture data from all apps. It is also able to bypass two-factor authentication (such as OTPs) by capturing the contents of the screen.

The creators of the ToxicPanda malware are Chinese speakers, according to the researchers. More than 1,500 devices were infected with the ToxicPanda trojan, and users from Italy were the worst affected, accounting for more than 50 percent of all infected devices. Other affected locations include Portugal, Spain, France and Peru. Customers of 16 banks were reportedly targeted by the TAs using the ToxicPanda Trojan.

The researchers also point out that current antivirus solutions have failed to detect these threats, suggesting the need for a “proactive, real-time detection system.” A botnet of infected devices was also spotted in use in Europe and Latin American countries, indicating that China-based TAs are now turning their attention to other markets.