Cybersecurity researchers have found new Android malware that uses advanced techniques on Android mobile users for device takeover and data theft. It’s called Crocodilus.
Crocodilus, a new and highly capable mobile banking Trojan, was discovered by cybersecurity firm ThreatFabric.
Researchers state that it isn’t a simple clone from well-established banking Trojan families such as Anatsa, Octo, or Hook. Instead, Crocodilus is a new and fully-fledged threat equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging.
Crocodilus’ initial installation is via a proprietary dropper that bypasses Android 13 and higher restrictions. Once installed, the malware requests that Accessibility Service be enabled.
Once Crocodilus has gained this permission, it connects to a command-and-control (C2) server and receives instructions, including a list of target applications and corresponding overlay screens. The banking Trojan then continuously monitors app launches, displaying fraudulent overlays to intercept user credentials.
Crocodilus also acts as a keylogger, registering all Accessibility events and capturing all elements displayed on the screen. This allows the Crocodilus operators to collect sensitive information, including personally identifiable information (PII) and log-in credentials.
There’s also a Remote Access Trojan (RAT) command that triggers an infected Android device to take a screenshot of the Google Authenticator app. This one-time password or OTP code is then sent to the C2 server, allowing the operators to enter the code and log into a victim’s cryptocurrency wallet.
Crocodilus can also make any remote access “hidden,” displaying a black screen overlay on top of all the activities and effectively hiding the malware's actions. To remain unnoticed, all sound alerts are muted.
Lastly, the malware tricks victims into navigating to their seed phrase or wallet key by using social engineering. For example, it prompts users to back up their cryptocurrency wallet within 12 hours to maintain access to their wallet.
“Initial campaigns observed by our Mobile Threat Intelligence team show targets primarily in Spain and Turkey, along with several cryptocurrency wallets. We expect this scope to broaden globally as the malware evolves,” ThreatFabric warns.
To stay protected, businesses should adopt a layered security approach that includes thorough device and behavior-based risk analysis on their customers’ devices.
Your email address will not be published. Required fields are markedmarked