ToxicPanda — a banking trojan that is believed to be in an early stage of development — has been detected by security researchers in Europe and Latin America. It is believed to be derived from another banking trojan detected in 2023, and is used to remotely take over accounts on compromised phones, allowing attackers to transfer funds while bypassing security measures aimed at stopping suspicious transactions. ToxicPanda was reportedly found on over 1,500 devices, while targeting users of 16 banking institutions.
Researchers at Cleafy's Threat Intelligence detected a new Android malware in October that they previously detected as TgToxic, another banking trojan that was actively used in Southeast Asia and was identified by the group last year. The researchers found that the new sample did not contain capabilities from TgToxic, and that the code was not similar to the original trojan.
As a result, the researchers started to track the newly detected remote access trojan (RAT) as ToxicPanda and warns that the malware can lead to account takeover (ATO) after a victim's device is infected. Cleafy's Threat Intelligence team also says that by opting for manual distribution (sideloading, using social engineering), threat actors (TA) can circumvent a bank's security measures that are used to keep users safe.
In order to access almost all information on a user's device, the malware exploits the accessibility service on Android, allowing it to capture data from all apps. It is also capable of sidestepping two-factor authentication (such as OTPs) by capturing the contents of the screen.
The creators of the ToxicPanda malware are Chinese speakers, according to the researchers. Over 1,500 devices were infected with the ToxicPanda trojan and users from Italy were the most impacted — more than 50 percent of all infected devices. Other impacted locations include Portugal, Spain, France, and Peru. Customers of 16 banks were reportedly targeted by the TAs using the ToxicPanda trojan.
The researchers also point out that current antivirus solutions have failed to detect these threats, which suggests the need for a "proactive, real-time detection system". A botnet of infected devices was also spotted in use in Europe and Latin American countries, which suggests that the Chinese-based TAs are now turning their attention to other markets.