Over 1,500 Devices Infected: Android Trojan ToxicPanda Targets Banks in Europe and Latin America
In a new report, Cleafy’s Threat Intelligence team has detailed the emergence of a banking trojan known as ToxicPanda, a sophisticated Android malware that has quickly gained prominence by targeting financial institutions across Europe and Latin America. With over 1,500 infected devices already identified, ToxicPanda’s strategic approach and operational focus signal a notable shift in the targeting practices of Chinese-speaking threat actors.
ToxicPanda was first detected in late October 2024, originally categorized under the TgToxic family. However, deeper analysis revealed distinct differences in both its structure and functionality. The Cleafy team notes, “While it shares some bot command similarities with the TgToxic family, the code diverges considerably from its original source”. This divergence led to the malware being reclassified as ToxicPanda.
This malware falls into the modern RAT generation, with capabilities that allow attackers to perform On-Device Fraud (ODF) directly from the compromised Android devices. This manual, on-device approach enables attackers to bypass behavioral detection systems widely implemented by banks and financial institutions.
ToxicPanda leverages several advanced features that make it highly effective in banking fraud:
- Accessibility Service Abuse: By exploiting Android’s accessibility services, ToxicPanda can grant itself elevated permissions, manipulate user inputs, and capture data from banking apps, making it particularly effective at compromising financial transactions.
- Remote Control and Real-Time Fraud: ToxicPanda enables attackers to remotely control infected devices, allowing them to initiate and authorize transactions, change account settings, and even intercept OTPs to bypass two-factor authentication.
- Obfuscation Techniques: To avoid detection, the malware employs various obfuscation techniques, using “code-hiding techniques to make it difficult for security researchers to analyse the malware.”
- Unique Botnet Structure and C2 Communication: ToxicPanda’s botnet infrastructure includes three hardcoded domains for communication with the command and control (C2) server. This infrastructure simplifies initial connections while maintaining operational control through selective remote configuration.
Italy remains the primary hotspot for infections, accounting for over 50% of compromised devices, with substantial infections also observed in Portugal, Spain, France, and Peru. Cleafy’s report indicates that “these numbers suggest that the operators are expanding their focus beyond primary European targets, hinting at a potential shift towards Latin America”. This geographic expansion marks an unusual trend, as Chinese-speaking threat actors rarely engage in banking fraud campaigns targeting these regions.
ToxicPanda’s apparent success can be attributed to its strategic focus on manual fraud operations, which reduce the need for complex automation and evade many anti-fraud measures. However, Cleafy analysts noted that the malware appears less technically sophisticated than other modern banking trojans, with unimplemented commands and code refactoring issues hinting that it may still be in active development or adjustment. Despite these limitations, its effectiveness underscores the urgent need for proactive, real-time monitoring within financial systems.
ToxicPanda represents a significant development in the realm of banking trojans, both in its use of ODF techniques and its strategic geographic focus. As Cleafy’s team emphasizes, the shifting tactics of these threat actors point to “a marked shift as Chinese-speaking TAs expand their focus into new geographical regions, especially targeting financial institutions and customers in pursuit of banking fraud opportunities.”
