A new Android () banking trojan named "" has begun spreading in Europe and Latin America, primarily targeting banks with advanced account takeover and financial fraud techniques.

The malware was discovered by the threat intelligence team in late , originating from a similar malware family previously identified in Southeast Asia.

Although the spread is limited, it has successfully infected multiple devices in Italy, Portugal, Spain, France, and Peru.

This is a rare case of Chinese-speaking cyber attackers expanding bank fraud activities beyond Asia.

The icon used by malware for disguise.

The function

Utilizing a series of tools for "device fraud" (), allows attackers to initiate unauthorized transactions directly from compromised devices.

This strategy bypasses security measures by leveraging device access to mimic legitimate user behavior.

The functions of this malware include:

Accessibility Service Abuse: Utilizing accessibility services to manipulate settings, control input fields, and perform hidden operations within banking applications.

Remote Control: With full remote access, attackers can interact with infected devices, conduct fraudulent transactions, and modify account settings.

Intercept: Intercept one-time passwords sent via SMS or app-based authenticators, bypassing two-factor authentication and facilitating unauthorized transactions.

Expansion and evolution

The report states that the malware campaign has an active botnet controlling infected devices, with Italy identified as the primary hotspot, accounting for over %, followed by Portugal and Spain.

This distribution indicates a shift in strategy by its developers, who are now adjusting their operations to target European financial institutions.

The attackers behind the attacks are reportedly speaking Chinese, which is uncommon for bank fraud targeting Europe and Latin America.

Although the code is similar, many features appear to be undeveloped, suggesting that this malware is either in its early stages or is adapting to new target regions.

Supported Commands

It is an advanced yet simplified version of its predecessor, lacking some complex obfuscation features, and instead relies on some hardcoded command and control (C&C) domains (e.g., . and .).

The malware uses encryption for communication, but its static configuration highlights the need for continuous improvement.

This simplicity may be due to regulatory challenges in Europe (such as ) and restrictions on Western banking infrastructure.

The crux of the operation lies in its utilization of infrastructure that enables fraudsters to monitor and control compromised devices.

Through a dedicated "Machine Management" interface, threat actors can track the status, location, and device specifications of each infected device, enabling them to target fraud in specific areas.

Security and configuration changes on infected devices are also monitored, as these changes may hinder fraudulent activities, allowing attackers to maintain persistent access.

Management Panel Remote control of victim devices

Emerging in regions outside Southeast Asia underscores the trend of regional cybercrime expansion.

As the malware remains in its evolutionary stage, closely monitoring updates and enhancing device protection are still crucial in mitigating the risks posed by this emerging banking trojan.

Android phone users can minimize risks by downloading apps only from , keeping active on their devices, and using multi-factor authentication to protect their bank accounts.

In-depth Exploration Panel

Panel login page

** **

system management interface

List of victims and details

Appendix: Malware Commands

Appendix: Indicators of Compromise ()

More information can be found by visiting the following URL:

https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam