ToxicPanda Android Banking Malware Infected 4500+ Devices to Steal Banking Credentials

A sophisticated Android banking trojan known as ToxicPanda has successfully infiltrated over 4500 mobile devices across Europe, representing one of the most significant mobile banking malware campaigns observed in recent years.

The malware specifically targets banking and digital wallet applications, employing advanced overlay techniques to steal login credentials, PIN codes, and pattern locks while enabling cybercriminals to perform unauthorized financial transactions remotely.

ToxicPanda operates as a highly evolved banking trojan that infiltrates Android devices to harvest sensitive financial information from banking and financial applications.

The malware demonstrates remarkable sophistication through its ability to create pixel-perfect phishing overlays that mimic legitimate banking interfaces, effectively deceiving users into entering their credentials directly into malicious forms.

Once installed, the trojan grants attackers comprehensive control over compromised devices, allowing them to intercept two-factor authentication codes, bypass security measures, and initiate fraudulent money transfers without user knowledge.

First identified by Trend Micro researchers in 2022, ToxicPanda initially focused its operations on Southeast Asian markets before expanding its reach to European territories in 2024.

The malware campaign has demonstrated significant growth and geographic redistribution, with current operations primarily concentrated in Portugal and Spain.

BitSight analysts identified a substantial shift in the malware’s targeting strategy during early 2025, noting that Portuguese devices now account for approximately 3000 infections while Spanish devices represent around 1000 compromised systems.

The current European campaign reveals a deliberate targeting strategy focused on the Iberian Peninsula, with Portugal and Spain collectively representing over 85% of all observed global infections.

The malware shows particular affinity for mid-range Android devices, with Samsung A series, Xiaomi Redmi, and Oppo A models comprising the majority of infected devices, though premium models including Samsung S series devices have also been compromised.

Advanced Persistence and Evasion Mechanisms

ToxicPanda employs sophisticated persistence techniques that make traditional removal methods ineffective, demonstrating the malware authors’ deep understanding of Android security architecture.

The trojan abuses Android’s Accessibility Services framework, originally designed to assist users with disabilities, to gain elevated privileges and maintain persistent control over infected devices.

The malware implements multiple layers of persistence through dynamic broadcast receiver registration that monitors system events including package removal, replacement, and data clearing operations.

When users attempt to uninstall the application through conventional methods, ToxicPanda automatically closes settings windows and prevents access to accessibility service configurations through its hijacked UI control capabilities.

The trojan’s anti-analysis capabilities include comprehensive emulator detection mechanisms that examine CPU information, system properties, and hardware characteristics to avoid execution in sandbox environments.

Recent versions incorporate enhanced detection methods including Bluetooth adapter verification, ambient light sensor checks, and telephony service validation.

The malware employs a Domain Generation Algorithm (DGA) that creates monthly rotating domain names combined with sequential top-level domain cycling, ensuring communication resilience even when individual command and control servers are compromised.

ToxicPanda’s encryption implementation utilizes hardcoded AES keys (“0623U25KTT3YO8P9”) for primary communications and DES encryption (“jp202411”) for fallback domain storage, maintaining secure channels between infected devices and command infrastructure.

The malware package masquerades as “Google Chrome” while operating under the internal identifier “com.example.mysoul,” requesting 58 different Android permissions to achieve comprehensive device access.

Complete removal requires Android Debug Bridge (ADB) commands due to the malware’s sophisticated self-protection mechanisms that prevent standard uninstallation procedures.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches