Emerging ToxicPanda Banking Trojan Poses Serious Threat to Android Users Worldwide

Recent findings have revealed a new banking trojan posing significant risks to Android smartphone users. This malware, known as ToxicPanda, appears to be in its early development stages and has been uncovered by security experts in Europe and Latin America. It is thought to stem from a previously identified banking trojan, which emerged in 2023, and is designed to gain unauthorized access to financial accounts.

Once a device is compromised, the attackers are able to transfer funds while evading security precautions designed to detect questionable activities. Reports indicate that more than 1,500 smartphones have been affected, targeting customers from 16 different financial institutions. In October, researchers from Cleafy’s Threat Intelligence came across this new Android malware, initially recognizing it as TgToxic, a banking trojan that had been operating in Southeast Asia as of last year. However, they noted that the latest sample did not have the functionalities seen in TgToxic, and no similarities were found in the coding between the two.

The ToxicPanda trojan masquerades as well-known applications, making it even more deceptive.

This has prompted security teams to label the newly found remote access trojan (RAT) as ToxicPanda. They caution that this malware could lead to account takeover risks once a victim’s device gets infected. The team at Cleafy also highlights that by utilizing manual distribution techniques—such as sideloading and social engineering—attackers can bypass the security protocols set by banks to protect their customers.

To obtain almost all user information, the malware takes advantage of the accessibility service on Android devices, enabling it to gather data from various applications. Additionally, it can evade two-factor authentication mechanisms, like one-time passwords, by capturing screen content during critical transactions.

Researchers have determined that the individuals behind ToxicPanda are likely Chinese speakers. Of the more than 1,500 impacted devices, users in Italy account for over 50 percent of the total. Other affected countries include Portugal, Spain, France, and Peru, with customers of 16 banks being among the primary targets of this malware.

Furthermore, it has been observed that existing antivirus programs are struggling to detect these threats, emphasizing the urgent need for a proactive real-time detection system. A botnet of compromised devices has also been noted in European and Latin American regions, suggesting that the Chinese-based attackers are beginning to expand their operations into new markets.