A sophisticated Android banking trojan known as ToxicPanda has successfully infiltrated over 4500 mobile devices across Europe, representing one of the most significant mobile banking malware campaigns observed in recent years. The malware shows particular affinity for mid-range Android devices, with Samsung A series, Xiaomi Redmi, and Oppo A models comprising the majority of infected devices, though premium models including Samsung S series devices have also been compromised. Once installed, the trojan grants attackers comprehensive control over compromised devices, allowing them to intercept two-factor authentication codes, bypass security measures, and initiate fraudulent money transfers without user knowledge. ToxicPanda employs sophisticated persistence techniques that make traditional removal methods ineffective, demonstrating the malware authors’ deep understanding of Android security architecture. The malware specifically targets banking and digital wallet applications, employing advanced overlay techniques to steal login credentials, PIN codes, and pattern locks while enabling cybercriminals to perform unauthorized financial transactions remotely. ToxicPanda operates as a highly evolved banking trojan that infiltrates Android devices to harvest sensitive financial information from banking and financial applications. The malware employs a Domain Generation Algorithm (DGA) that creates monthly rotating domain names combined with sequential top-level domain cycling, ensuring communication resilience even when individual command and control servers are compromised. The malware package masquerades as “Google Chrome” while operating under the internal identifier “com.example.mysoul,” requesting 58 different Android permissions to achieve comprehensive device access. The trojan abuses Android’s Accessibility Services framework, originally designed to assist users with disabilities, to gain elevated privileges and maintain persistent control over infected devices. The malware implements multiple layers of persistence through dynamic broadcast receiver registration that monitors system events including package removal, replacement, and data clearing operations. ToxicPanda’s encryption implementation utilizes hardcoded AES keys (“0623U25KTT3YO8P9”) for primary communications and DES encryption (“jp202411”) for fallback domain storage, maintaining secure channels between infected devices and command infrastructure. BitSight analysts identified a substantial shift in the malware’s targeting strategy during early 2025, noting that Portuguese devices now account for approximately 3000 infections while Spanish devices represent around 1000 compromised systems. The malware demonstrates remarkable sophistication through its ability to create pixel-perfect phishing overlays that mimic legitimate banking interfaces, effectively deceiving users into entering their credentials directly into malicious forms. When users attempt to uninstall the application through conventional methods, ToxicPanda automatically closes settings windows and prevents access to accessibility service configurations through its hijacked UI control capabilities.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 30 Jul 2025 19:00:22 +0000