Key Takeaways

  • A new trojan called ToxicPanda targets bank accounts by spoofing common apps on Android devices.
  • The malware was discovered by Cleafy only a few weeks ago, mainly in China, and has since spread to 1,500 Android devices around the world.
  • Protection against ToxicPanda involves avoiding sideloading, downloading from trusted sources, and keeping your device up to date at all times.



There’s a dangerous new threat to everyone’s bank accounts spreading around the world, and it shows no signs of stopping. This malware is a trojan called ToxicPanda, and it targets bank accounts through Android devices with an advanced attack strategy.

Related

8 essential Android 15 security features you should set up immediately

Stay safe in a digital world: Android 15’s got your back

ToxicPanda was discovered by Cleafy’s Threat Intelligence team a few weeks ago (via Hacker News). The trojan uses sophisticated methods to get around bank security measures before it starts making unauthorized withdrawals from the target account. Cleafy believes the malware has infected over 1,500 Android devices in countries around the world, particularly Europe and Latin America.




How dangerous is ToxicPanda to the average Android user?

A map of the world showing the spread of ToxicPanda on Android devices.

Source: Cleafy

This is a nasty trojan with highly specialized code. It’s an evolution of an older malware family called TgToxic, but this version has a laser-like focus on financial fraud. ToxicPanda can intercept one-time passwords, exploit Android’s security and accessibility services, and grant itself permissions to control elevated functions on the device. It can even enable remote control, giving attackers direct access.

The malware gets access to your bank account by mimicking popular apps like Google Chrome, or even banking apps. The victim has no idea there’s a dangerous program hiding in plain sight, and the target bank account believes the transactions are legitimate.



ToxicPanda spreads through sideloading. Threat actors (TAs) use fake app pages to lure users into downloading this dangerous trojan. There is no sign of it on the Play Store or Galaxy Store, but Cleafy was clear the malware is still in development. Some commands appear as placeholders with no real function, suggesting whoever created it is still working on making it even more powerful. Cleafy does not know who the TAs are, but does say all signs point to actors in China, most likely Hong Kong.

Here’s how you can protect your device from ToxicPanda

One of the joys of Android is the ability to sideload, yet that is exactly the kind of behaviour you should avoid if you want to protect your device, and your bank account, in 2024. You should only ever download apps from trusted sources, keep your device updated, and watch your bank account closely. You should also ignore installation prompts that appear outside of the Google Play Store (or Galaxy Store).


Banks, meanwhile, need to reinforce their behavioral detection software. The emergence of ToxicPanda highlights the growing sophistication of threats. Protections that worked a few years ago are already outdated, and no bank should rest on its laurels. Passkeys and multi-factor authentication safeguards are two ways banks can protect their clients’ accounts.

Everyone should remain vigilante against evolving digital threats like ToxicPanda. Your data, and your money, is never fully secure.

Related

What is a passkey, and how is it different from a password?

Passkeys and their speedy encryption are already starting to replace passwords: Here are the big differences