New Android banking malware ToxicPanda targets users in Italy, Portugal, Hong Kong, Spain, and Peru

A new banking malware, known as ToxicPanda, has infected more than 1,500 Android devices to make fraudulent money transfers without users noticing. This malware allows cybercriminals to take control of compromised bank accounts through a technique called on-device fraud (ODF), bypassing banks’ identity verification and authentication measures. Most of the infections have been reported in Italy, followed by Portugal, Hong Kong, Spain and Peru, which is considered an unusual case as a Chinese-speaking threat actor is targeting users in Europe and Latin America. ToxicPanda, a simplified version of the TgToxic malware, uses Android accessibility services to obtain advanced permissions, intercept one-time passwords (OTP) and bypass two-factor authentication. In addition, it masquerades as popular apps such as Google Chrome and Visa, distributing itself through fake pages that mimic official app stores.