By Ashwani Mishra, Editor-Technology, 63SATS
In a chilling development for global banking security, a new Android malware known as ToxicPanda is spreading rapidly, putting thousands of bank accounts at risk.
Disguising itself as popular applications, including Google Chrome and mobile banking apps, ToxicPanda has infiltrated over 1,500 devices across Europe and Latin America, according to Cleafy’s Threat Intelligence team.
This sophisticated malware threatens to siphon funds from unsuspecting users through techniques designed to bypass even advanced banking security measures.
ToxicPanda’s Global Spread
First detected in late October 2024, ToxicPanda was initially thought to belong to the TgToxic malware family, previously active in Southeast Asia. However, further examination by Cleafy researchers revealed stark differences in its coding, warranting classification as a unique malware strain.
ToxicPanda’s primary goal is financial fraud, utilizing a method called On-Device Fraud (ODF) to initiate unauthorized transfers from compromised bank accounts directly on users’ devices.
This malware is far from ordinary.
Unlike many trojans that simply steal login credentials, ToxicPanda provides attackers with real-time remote access to infected devices, enabling them to perform account takeovers (ATO) directly from the user’s phone. Using this approach, attackers can bypass typical security measures like two-factor authentication (2FA) and behavior-based fraud detection, putting users’ finances directly in jeopardy.
How ToxicPanda Bypasses Security Measures
ToxicPanda’s method is as ingenious as it is alarming. By exploiting Android’s accessibility services, the malware can gain elevated permissions to manipulate user inputs, capture data from other applications, and execute actions remotely without user consent.
For banking applications, this translates to complete control over a victim’s account, allowing cybercriminals to initiate transfers, adjust account settings, and even alter security preferences in real-time.
To execute its attacks, ToxicPanda intercepts one-time passwords (OTPs) delivered via SMS or authentication apps, allowing it to bypass 2FA protocols used by banks to secure transactions. This feature is particularly alarming, as it enables ToxicPanda to act as though it were the legitimate user, effectively undermining some of the strongest safeguards in mobile banking.
The malware’s creators have further strengthened its resilience by employing advanced obfuscation techniques. These tactics mask the malware’s code, making it difficult for cybersecurity experts to analyze and detect its operations. ToxicPanda’s flexibility and adaptability signify a heightened level of threat sophistication, enabling it to evolve and evade detection across different regions.
An Unusual Shift in Cybercriminal Strategy
One of the more surprising findings from Cleafy’s investigation is the geographical targeting of ToxicPanda. Historically, cybercriminal groups from East Asia have focused their efforts on regional banking systems. Yet ToxicPanda’s primary targets are based in Europe, with Italy, Portugal, and Spain experiencing the bulk of infections. This geographical shift suggests a potential expansion in the operational scope of these threat actors, extending even into Latin America.
The Cleafy team suspects that Chinese-speaking actors, possibly affiliated with those behind the TgToxic family, are responsible for this malware. This pivot to targeting European and Latin American institutions marks a strategic shift in the group’s focus, hinting at the potential for further expansion into other markets.
The Reach of ToxicPanda’s Botnet
Through its investigation, Cleafy discovered an extensive botnet infrastructure linked to ToxicPanda, affecting over 1,500 devices. Italy alone accounted for more than half of the infected devices, followed by Portugal, Spain, France, and Peru. With its widespread reach and capability to execute fraud directly on victims’ devices, ToxicPanda represents a significant threat to banking systems and their users across multiple continents.
Editorial Opinion: The Path Forward for Android Users and Banks
ToxicPanda’s rise highlights an urgent need for stronger mobile banking security.
Cleafy urges Android users to stick to trusted app sources, keep software updated, and closely monitor their banking activity.
Financial institutions must also boost detection and response measures to counter evolving threats.
As ToxicPanda spreads across Europe and Latin America, financial institutions in other parts of the world must stay vigilant to protect digital assets and uphold trust in online banking.