Day 56 of 100 in the 100 Days of Cyber Challenge
by Christopher Mohr
In March 2025, Kaspersky announced at Mobile World Congress in Barcelona that the number of “trojan banker attacks” had increased 196% in 2024 over the previous year, with 1.24 million Android devices compromised.
Shortly after, the company also reported that the number of users encountering mobile banking Trojans increased by 260% over that same period.
One of the mobile banking trojans getting headlines in the first half of 2025 was ToxicPanda. Its origins trace back to TgToxic, discovered by Trend Micro in 2022. TgToxic infected devices in Southeast Asia and was involved in phishing, sextortion, and cryptocurrency scams.
Security firm Cleafy identified a new trojan in October 2024 with code similarities to TgToxic but with enough differences to warrant a new name: ToxicPanda. It attacked mostly in Italy, but also Spain, Portugal, France and Peru.
ToxicPanda reaches victims through the TAG-124 traffic distribution system, a network of at least 50 compromised and attacker-controlled domains that host and distribute the malware.
It masquerades as a legitimate app, often the Chrome browser or appears as phony CAPTCHA challenges that install it. Regardless of the method used, once the app is installed, a set of 39 overlays matching the layouts of UIs from prominent banks down to the pixel is available for an attack.
ToxicPanda takes advantage of the Accessibility Features that Android designed for people with disabilities. By abusing these features, ToxicPanda is able to bypass security measures and intercept one-time passwords.
Once ToxicPanda is installed, the phone is a part of a botnet that communicates with a command-and-control (C2) server. When the user launches their banking app, the malware determines which bank is used and loads the overlay that matches that bank’s UI.
The user thinks they are logging into their account, but they are actually sending their credentials to ToxicPanda. The credentials are then uploaded to the C2 server on its command. It’s the software equivalent of a card-skimmer.
Research on ToxicPanda tails off after late July 2025, leaving its current operational status unclear. Does the lack of recent news mean it has been taken down and law enforcement agencies are keeping a lid on their actions, or is it because there is nothing new to report? Even without knowing ToxicPanda’s current status, it is still an instructive example of a well-designed mobile banking trojan.
Besides, it’s not like there aren’t other mobile banking trojans. Kaspersky discovered another trojan recently that it designated as ‘FrogBlight’.
So far, it appears the only region affected by FrogBlight is Turkey. Victims are targeted through a smishing campaign sending texts telling them they had to appear in court. Clicking the links in these texts installed the malware on the system.
The malware appears as an app that allows users to view court cases. In setting up this app, they are told that it needs permissions to allow them to view case files. After those permissions are granted, the user is prompted to sign in with several different options, one of them being to sign in through a banking app.
Regardless of the option the user selected, the login for banking appears. JavaScript injected into the page captures the credentials the user enters and transmits them to a C2 server. It’s basically ToxicPanda with smishing scams replacing overlays.
Defending against these attacks starts with how apps are installed and updated.
You should never install Android apps from a popup advising you to do so. Instead they should be updated through the Google Play Store.
You should also never update an Android app unless it is through the Google Play Store or a link in the app itself. Better yet, enable automatic updates when possible so you need not worry about which link to click vs. which to avoid.
Government-agency-related scams can be avoided by understanding how these organizations contact people for situations that require urgent response, like arrest warrants, court appearances, and tax obligations. You should follow that agency’s best practices for dealing with such obligations, including contacting the agency or organization directly.
The IRS for example, has an entire page devoted to informing the public how it contacts people to address tax-related matters.
Users should also be suspicious of banking apps that require unusual permissions. A legitimate banking app does not need to display over other apps or require accessibility features permissions.
With 2026 being only a couple of weeks old, it’s likely too soon to find data on mobile banking trojans: how many people were attacked, how many installations of malware, number of installations by malware designation, etc.
It is pretty clear that this method of attack has victimized many people. Fortunately, decreasing the likelihood of such an attack does not require a lot of technical expertise, but rather a few simple adjustments in one’s mobile device habits, having more awareness, and acting on it.
Sources:
Banking data theft attacks on smartphones triple in 2024, Kaspersky reports
3.6 times surge in mobile banking malware and 83% crypto phishing spike: New financial cyberthreats report by Kaspersky
TgToxic Malware’s Automated Framework Targets Southeast Asia Android Users (Trend Micro)
ToxicPanda: a new banking trojan from Asia hit Europe and LATAM (Cleafy)
ToxicPanda: The Android Banking Trojan Targeting Europe (Bitsight)
How to Update Chrome: The 2025 Guide for Performance & Security (ITarian)
Watch Out for Google Chrome Update Malware
How to know it’s the IRS