Security researchers have uncovered a new banking trojan named ToxicPanda, believed to be in its initial development phase, affecting users across Europe and Latin America. This malware is thought to stem from a banking trojan identified earlier in 2023 and is designed to remotely seize control of accounts on compromised smartphones. It enables attackers to execute unauthorized fund transfers while evading security protocols intended to prevent suspicious transactions. Initial findings show that ToxicPanda has compromised over 1,500 devices, targeting customers from 16 different banking institutions.
The Threat Intelligence team at Cleafy’s research division reported the discovery of this new Android malware in October, previously categorized as TgToxic, a banking trojan that was active in Southeast Asia last year. Researchers noted that the newly identified variant lacks the functionalities seen in TgToxic and that its codebase bears no resemblance to the original trojan.
The ToxicPanda trojan is disguised as popular applications
Photo Credit: Cleafy
With this new finding, researchers have begun tracking the remote access trojan (RAT) under the moniker ToxicPanda, cautioning that the malware poses severe risks of account takeover (ATO) following a successful infection. Cleafy’s Threat Intelligence team also highlighted that the use of manual distribution methods, such as sideloading and social engineering, allows cybercriminals to bypass bank security measures designed to protect users.
The malware gains unauthorized access to nearly all data on a user’s device by exploiting Android’s accessibility service, which enables it to capture information from various applications. Furthermore, it can evade two-factor authentication processes, including one-time passwords (OTPs), by capturing screen content.
Research has indicated that the developers of the ToxicPanda malware are likely native Chinese speakers. The majority of the infected devices were located in Italy, accounting for over 50 percent of the total, while other affected areas include Portugal, Spain, France, and Peru. The malware’s operators have specifically targeted customers of 16 financial institutions.
Moreover, the researchers pointed out that many current antivirus solutions have been ineffective in detecting these threats, emphasizing the urgent need for “proactive, real-time detection systems.” A reported botnet arising from these infected devices has been observed operating within both European and Latin American markets, indicating that the Chinese-based threat actors are extending their operations into new regions.
