Toxianda Banking Trojan Infects Over 1,500 Android Smartphones, Targets 16 Banks: Report 3a4c14

Toxianda — a banking trojan that is believed to be in an early stage of development — has been detected by security researchers in Europe and Latin America. It is believed to be derived from another banking trojan detected in 2023, and is used to remotely take over s on compromised phones, allowing attackers to transfer funds while bying security measures aimed at stopping suspicious transactions. Toxianda was reportedly found on over 1,500 devices, while targeting s of 16 banking institutions.

Researchers at Cleafy's Threat Intelligence detected a new Android malware in October that they previously detected as TgToxic, another banking trojan that was actively used in Southeast Asia and was identified by the group last year. The researchers found that the new sample did not contain capabilities from TgToxic, and that the code was not similar to the original trojan.

The Toxianda trojan is disguised as popular applications
Photo Credit: Cleafy

 

As a result, the researchers started to track the newly detected remote access trojan (RAT) as Toxianda and warns that the malware can lead to takeover (ATO) after a victim's device is infected. Cleafy's Threat Intelligence team also says that by opting for manual distribution (sideloading, using social engineering), threat actors (TA) can circumvent a bank's security measures that are used to keep s safe.

In order to access almost all information on a 's device, the malware exploits the accessibility service on Android, allowing it to capture data from all apps. It is also capable of sidestepping two-factor authentication (such as OTPs) by capturing the contents of the screen. 

The creators of the Toxianda malware are Chinese speakers, according to the researchers. Over 1,500 devices were infected with the Toxianda trojan and s from Italy were the most impacted — more than 50 percent of all infected devices. Other impacted locations include Portugal, Spain, , and Peru. Customers of 16 banks were reportedly targeted by the TAs using the Toxianda trojan.

The researchers also point out that current antivirus solutions have failed to detect these threats, which suggests the need for a "proactive, real-time detection system". A botnet of infected devices was also spotted in use in Europe and Latin American countries, which suggests that the Chinese-based TAs are now turning their attention to other markets.