Android Botnet ToxicPanda Bashes Banks Across Europe, Latin America

Chinese-speaking adversaries are using a fresh Android banking Trojan to take over devices and initiate fraudulent money transfers from financial institutions across Latin America, Italy, Portugal, and Spain.

Researchers have designated a new botnet on the scene — initially suspected to be a part of the Toxic banking Trojan family — as a whole new spinoff strain with its own moniker, ToxicPanda.
The ToxicPanda banking bot has turned up on at least 1,500 individual devices across Italy, Portugal, Spain, and Latin America, actively trying to steal money from at least 16 different financial institutions, according to new findings from Cleafy. The Chinese-speaking threat actors behind ToxicPanda deploy the malware to take over a targeted device and initiate scam money transfers, bypassing the banks identity and authentication protections, the Cleafy team warned.
Remote access capabilities allow threat actors to conduct account takeover (ATO) directly from the infected device, thus exploiting the on-device Fraud (ODF) technique, the
Cleafy report explained
. This consolidation of this technique has already been seen by other banking Trojans, such as
Medusa
, Copybara, and, recently, BingoMod.
This stripped-down, manual approach to the
Android banking Trojan
gives the threat actors the advantage of not having to use highly skilled developers, it opens up the potential to victimize a wider swath of banking customers, and it bypasses many cybersecurity protections used by financial services and banks, the researchers noted.
Importantly, code analysis uncovered that ToxicPanda is in the early stages of development. But that doesnt mean it doesnt already have an impressive set of features, including the ability to exploit Androids accessibility services to escalate permissions, and capturing data from applications, the Cleafy team noted.
Further, ToxicPanda allows the threat actor to gain remote control of the infected device and initiate actions like money transfers without the users knowledge. The banking Trojan also intercepts one-time passwords sent either by text or authenticator app, completely dismantling multifactor authentication protections. Finally, ToxicPanda is loaded with code-hiding tricks to avoid detection.
The ramp up of ToxicPanda indicates Chinese-speaking threat actors are beefing up their operations to expand into new territory outside its traditional Southeast Asian roots, the report warns.
This trend underscores the mobile security ecosystems escalating challenge, as the marketplace is increasingly saturated with malware and new threat actors emerge, Cleafys report said. An important question arising from this analysis is not just how to defend against threats like ToxicPanda but why contemporary antivirus solutions have struggled to detect a threat that is, in technical terms, relatively straightforward. Although there is no single answer, the lack of proactive, real-time detection systems is a primary issue.
As Chinese-speaking groups look to gain initial access to devices, they often leverage Android vulnerabilities in wide-scale attacks.
Fittingly, on Nov. 4, Google released patches for dozens of
Android vulnerabilities
as part of Novembers update, among them, two that already have been exploited, CVE-2024-43047 and CVE-2024-43093. Although Google has not released details, the first was discovered by Amnesty International and Googles Threat Analysis Group, which are well known for tracking commercial spyware activities. The second is a high-severity privilege escalation flaw in Androids framework.
Beyond disclosing the flaws, which may be under limited, targeted exploitation, Google has not provided additional details.
Dont miss the latest
Dark Reading Confidential podcast
,
where we talk about NISTs post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down.
Listen now!

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Android Botnet ToxicPanda Bashes Banks Across Europe, Latin America