There’s literally thousands of Android malware out there ready to take over your bank accounts if you’re not careful. The good part is that if you’re not technically challenged the chances of getting infected are very slim if you follow one simple rule – do not install apps from unknown sources unless you’re 100% sure you can trust the developer.

What’s ToxicPanda

The new Android malware in town is called ToxicPanda and it targets your banking information by masquerading as common apps and exploiting advanced methods to hijack accounts. Given its nickname, it’s not difficult to guess its country of origin (Panda – China). Anyway, since its recent discovery by Cleafy, ToxicPanda has already infected over 1,500 Android devices, mainly in Europe and Latin America.

ToxicPanda combines techniques that make it a sophisticated threat for Android users that also have banking apps installed on their smartphone (these days, who doesn’t have them). The malware is an evolution of TgToxic, refined with a more aggressive focus on financial fraud through account takeovers and remote control of infected devices. By exploiting Android’s accessibility services, ToxicPanda can:

  • Mimic trusted apps like Google Chrome and banking apps, making it hard for users to recognize a threat.
  • Intercept OTPs and bypass 2FA to authorize transfers undetected.
  • Grant itself permissions that enable attackers to manipulate device functions and access sensitive data.

Unlike other typical Android malware, ToxicPanda’s specialized code allows it to blend in seamlessly with legitimate apps, tricking users and banks alike. Even though it’s not yet in widespread deployment, some of its commands remain undeveloped placeholders – suggesting that the malware is still evolving. This “work-in-progress” status hints at potential future capabilities that could make it even more dangerous.

Originating in China, ToxicPanda’s first wave of infections has hit Italy, Portugal, Hong Kong, Spain, and Peru.

The development of ToxicPanda underscores the need for banks to adopt passkeys and multi-factor authentication (MFA), as well as reinforce behavioral detection systems to detect suspicious patterns. ToxicPanda can bypass older security measures, highlighting a critical need for banks to stay updated against evolving threats.

How does it spread

Here comes the part that makes it less menacing than it sounds. ToxicPanda spreads through sideloading. This means that threat actors (TAs) use fake app pages to lure users into downloading this dangerous app. Which means that the user downloading this trojan app would have to install it from an unknown source, because there is no sign of it on the Play Store or Galaxy Store. So aftercall it’s not a malware app that exploits a vulnerability in Android, but basically just a social engineering hack.

In fact Google Play released a statement saying that it didn’t detect ToxicPanda’s signature anywhere in their app store library:

Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.

Tips to protect against ToxicPanda and other malware

To protect yourself from ToxicPanda and similar malware:

  1. Avoid sideloading – I could just stop here. Exactly as I mentioned at the beginning of this post, if you avoid sideloading (i.e. installing apps from unknown sources) you’ll be safe. You should only download Android apps from Google Play Store. Just be wary of app prompts from untrusted websites or links and never ever disable the option in Android that disallows installing apps from unknown sources by default.
  2. Enable Google Play Protect – This feature can help identify and block harmful apps and it’s enabled by default, so simply keep it on.
  3. Keep your device updated – It’s a rule for any device on any platforms, regularly update your OS and apps to avoid any 0day exploits.
  4. Stay vigilant with app permissions – Android didn’t add the option to review app permissions during installation, so take the time to evaluate if you can trust an app that asks for dozens of permissions.
  5. Monitor your bank accounts regularly – Best of all, have limits set in place for transactions and notifications for any outgoing operations.

ToxicPanda is just one drop in the bucket of malware for Android devices, so be vigilant on anything you install. Android-based threats will continuously grow in sofistication and will always try to trick you into giving away your sensitive information, so stay alert. Staying informed and practicing secure mobile habits can significantly reduce your risk of falling victim to attacks like these.