ToxicPanda Malware Hits Banks Across Europe And Latin America

In October 2024, Cleafy’s Threat Intelligence team discovered a new Android banking Trojan campaign, initially linked to the known TgToxic family of malware. However, after further investigation, it became clear that this new malware was different, leading experts to track it under the name ToxicPanda.

In their recent report, the analysts explain that ToxicPanda is designed to steal money from compromised devices by bypassing bank security measures.

The malware uses a technique called On-Device Fraud (ODF), which allows attackers to take control of a victim’s bank account without the person’s knowledge. It can bypass identity verification and behavioral detection systems that banks use to flag suspicious activities.

The researchers explain that ToxicPanda works by exploiting Android’s accessibility services. This allows it to gain control over a victim’s device, intercept one-time passwords (OTPs), and carry out fraudulent bank transactions. It can also hide its presence on the phone, making it harder for antivirus software to detect.

However, the report notes that the malware is still in early development. Some parts of its code are incomplete, with commands that don’t yet do anything.

Despite this, ToxicPanda has already managed to infect over 1,500 Android devices across Italy, Portugal, Spain, and Latin America. These infected devices are being used in attacks on 16 different banking institutions.

The threat actors (TAs) behind ToxicPanda are suspected to be Chinese speakers, marking a shift in the regions they target.

It is uncommon for Chinese-speaking cybercriminals to focus on banking fraud in Europe and Latin America. The researchers suggest that this might indicat a potential change in their operational focus.

Although ToxicPanda is not as advanced as some other banking trojans, it shares similarities with previous malware like TgToxic.

The report suggest that the malware’s developers appear to be new to targeting financial institutions outside their home regions, which may explain its somewhat basic code and limited features.

ToxicPanda’s spread has been significant, with Italy seeing the highest number of infections, followed by countries like Portugal, Spain, and Peru. This broad geographic reach signals that the malware creators are expanding their targets to include more countries, especially in Latin America.

In conclusion, ToxicPanda is a growing threat that highlights the increasing sophistication of mobile banking fraud. While the malware is still developing, its rapid spread across multiple regions shows that cybercriminals are becoming more focused on exploiting banking systems worldwide.