A new Android malware, named “ToxicPanda,” was identified in late October 2024 and classified under the TgToxic family due to similar bot commands.
However, an in-depth analysis by Cleafy’s Threat Intelligence team later revealed significant code differences, leading to its reclassification as a distinct threat.
Unlike TgToxic, ToxicPanda lacks certain advanced features, such as the Automatic Transfer System (ATS), marking a reduction in technical sophistication. Yet, it poses a significant risk due to its potential for account takeover (ATO) via on-device fraud (ODF) on infected devices.
Geographic Spread and Targeting
According to Cleafy, ToxicPanda primarily targets retail banking on Android devices. The infection has spread through Italy, Portugal, Spain and some Latin-American regions, with Italy accounting for more than 50% of cases.
Over 1500 devices have been compromised as part of this malware campaign. Through remote access, ToxicPanda has enabled cybercriminals to control infected devices, intercept one-time passwords and circumvent two-factor authentication measures.
Cleafy’s findings also highlight that the threat actors behind ToxicPanda are likely Chinese speakers, a unique attribute given that Chinese-speaking groups rarely focus on European banking targets.
Evolving Tactics and Security Challenges
The malware’s propagation seems to rely on social engineering tactics, leading users to side-load the app onto their devices. Once installed, ToxicPanda exploits Android’s accessibility services, gaining elevated permissions that allow it to capture sensitive data and perform unauthorized actions.
Read more on mobile banking malware: Mobile Banking Malware Surges 32%
Cleafy’s researchers accessed ToxicPanda’s command-and-control (C2) infrastructure, which provided insights into operational strategies. Notably, ToxicPanda displays a mix of new and placeholder commands, likely inherited from the TgToxic family.
The absence of obfuscation techniques and debugging files indicates that the malware is still evolving and may undergo further modifications. By leveraging regional ties and bypassing security measures like the Payment Services Directive (PSD2), ToxicPanda highlights the expanding challenges of mobile banking security as malware operators continue to refine their tactics and expand their targets.
“Our telemetry data indicates that the threat posed by ToxicPanda is becoming increasingly prominent,” Cleafy said.
“An important question arising from this analysis is not just how to defend against threats like ToxicPanda but why contemporary antivirus solutions have struggled to detect a threat that is, in technical terms, relatively straightforward. Although there is no single answer, the lack of proactive, real-time detection systems is a primary issue.”