4500+ Devices Infected by ToxicPanda Android Malware to Steal Banking Credentials

A sophisticated Android banking trojan known as ToxicPanda has infected over 4,500 devices across Europe, with cybersecurity researchers warning of an escalating campaign targeting banking credentials and digital wallet information.

The malware, which evolved from the TgToxic family first identified in 2022, has demonstrated remarkable adaptability by migrating from Southeast Asia to establish a foothold in European markets.

According to research from TRACE and Cleafy, the malware campaign has shown a dramatic geographic shift, with Portugal and Spain now representing over 85% of all global infections in 2025.

Portugal alone accounts for approximately 3,000 compromised devices, while Spain reports around 1,000 infections.

The malware primarily targets Samsung, Xiaomi, and Oppo devices, particularly more accessible series like Samsung A, Xiaomi Redmi, and Oppo A models.

Advanced Overlay Attacks Target Banking Apps

ToxicPanda employs sophisticated overlay attacks that create fake login screens mimicking legitimate banking applications.

The malware communicates with command-and-control servers to receive JSON payloads containing 39 custom phishing overlays, each tailored to specific banking apps.

These overlays capture login credentials, PIN codes, and pattern locks by positioning fake interfaces over genuine banking applications.

The Trojan exploits Android’s accessibility services features, designed to assist users with disabilities, to gain extensive device control.

Once enabled, ToxicPanda can intercept one-time passwords (OTPs), bypass two-factor authentication, and even initiate unauthorized money transfers without user knowledge.

The malware requests 58 different permissions, including SMS access, camera control, and system overlay capabilities.

Enhanced Evasion and Distribution Networks

Recent versions of ToxicPanda have incorporated advanced anti-emulation techniques that prevent analysis in popular sandbox environments.

The malware now utilizes a Domain Generation Algorithm (DGA) that creates multiple command-and-control domain names monthly, making it difficult for security teams to block communications.

Researchers have identified the malware’s integration with TAG-124, a multi-layered Traffic Distribution System used by multiple threat actors to facilitate malware delivery.

This infrastructure enhancement has been linked to 52 domains hosting ToxicPanda malware samples.

The banking trojan encrypts all communications using AES/ECB encryption with hardcoded keys, while implementing multiple persistence mechanisms that make removal challenging through conventional methods.

Security experts recommend that users avoid installing applications outside of official app stores, carefully review permission requests, and remain vigilant about enabling accessibility services for unknown applications.

ToxicPanda’s continued evolution and geographic expansion underscore the growing sophistication of mobile banking threats, with researchers noting ongoing development activity and infrastructure improvements that suggest sustained campaign operations.