Researchers with Cleafy discovered a new strain of banking malware that targets Android users.

Once infected, it enables hackers to conduct fraudulent banking transactions with the victim’s device. The scheme itself isn’t new — it’s referred to as on-device fraud and it lets hackers conduct illegal transactions from the safety of someone else’s phone.

“It aims to bypass bank countermeasures used to enforce users’ identity verification and authentication, combined with behavioral detection techniques applied by banks to identify suspicious money transfers,” explain Cleafy researchers Michele Roviello, Alessandro Strino, and Federico Valentini.

Over 1,500 devices were infected, with over half of these infections coming from Italy. Portugal, Spain, France, and Peru were also infection hotspots.

“This geographical distribution underscores the ToxicPanda botnet’s significant reach and adaptability. These numbers suggest that the operators are expanding their focus beyond primary European targets, hinting at a potential shift towards Latin America,” the Cleafy report reads.

The maximum amount that was withdrawn from each account is below 10k.

One strange fact is that ToxicPanda seems to be built on the foundation of the old TGToxic malware strain, but it’s less advanced. It lacks both the Automatic Transfer System (ATS) routine and reduced obfuscation routines that its predecessor had. Roviollo, Strino, and Valentini believe that points to the hackers not having experience working with foreign targets.

They also note that the hackers responsible for the attack spoke Chinese. It’s uncommon for threat actors from this region to launch wide-scale on-device banking fraud in countries like Italy and France.

“More broadly, we observe a marked shift as Chinese-speaking TAs expand their focus into new geographical regions, especially targeting financial institutions and customers in pursuit of banking fraud opportunities,” they explain.

“This trend underscores the mobile security ecosystem’s escalating challenge, as the marketplace is increasingly saturated with malware and new threat actors emerge.”