A new Android malware, dubbed “ToxicPanda,” has emerged as a notable threat in the cybersecurity landscape, first identified in late October 2024. Initially classified under the TgToxic family due to its similar bot commands, further investigation by Cleafy’s Threat Intelligence team revealed distinct code variations, prompting a reclassification of this malware as a unique entity.
While ToxicPanda does not possess certain advanced features found in its predecessor, such as the Automatic Transfer System (ATS), it still presents a considerable risk. The malware is particularly dangerous due to its capability for account takeover (ATO) through on-device fraud (ODF) on compromised devices.
Geographic Spread and Targeting
Cleafy’s analysis indicates that ToxicPanda primarily targets retail banking applications on Android devices. The malware has notably spread across Italy, Portugal, Spain, and various Latin American regions, with Italy alone accounting for over 50% of reported cases.
To date, more than 1,500 devices have fallen victim to this malware campaign. ToxicPanda enables cybercriminals to gain remote access to infected devices, allowing them to intercept one-time passwords and bypass two-factor authentication protocols.
Interestingly, Cleafy’s research suggests that the threat actors behind ToxicPanda are likely to be Chinese speakers, a noteworthy detail given that such groups typically do not focus on European banking targets.
Evolving Tactics and Security Challenges
The spread of ToxicPanda appears to hinge on social engineering tactics, enticing users to side-load the malicious app onto their devices. Once installed, the malware exploits Android’s accessibility services, granting it elevated permissions to capture sensitive information and execute unauthorized actions.
Further insights were gleaned from Cleafy’s access to ToxicPanda’s command-and-control (C2) infrastructure, revealing operational strategies that include a blend of new and placeholder commands, likely inherited from the TgToxic lineage. The absence of obfuscation techniques and debugging files suggests that ToxicPanda is still in a state of evolution and may undergo further modifications.
By leveraging regional connections and circumventing security measures such as the Payment Services Directive (PSD2), ToxicPanda underscores the growing complexities of mobile banking security. As malware operators refine their tactics and broaden their targets, the challenges for security professionals continue to mount.
“Our telemetry data indicates that the threat posed by ToxicPanda is becoming increasingly prominent,” stated Cleafy. “An important question arising from this analysis is not just how to defend against threats like ToxicPanda but why contemporary antivirus solutions have struggled to detect a threat that is, in technical terms, relatively straightforward. Although there is no single answer, the lack of proactive, real-time detection systems is a primary issue.”
