Cybersecurity experts have identified a novel Android banking malware, known as Crocodilus, which primarily targets users in Spain and Turkey.
According to ThreatFabric, “Crocodilus emerges as a fully-fledged threat, equipped with advanced techniques such as remote control, black screen overlays, and sophisticated data harvesting via accessibility logging, rather than a simple clone of existing malware.”
Similar to other banking trojans, Crocodilus is designed to facilitate device takeover and conduct fraudulent transactions. An examination of the source code and debug messages reveals that the malware author is Turkish-speaking.
The analyzed Crocodilus artifacts masquerade as Google Chrome, with the package name “quizzical.washbowl.calamity”, acting as a dropper that can bypass Android 13+ restrictions.
Upon installation and launch, the app requests permission to access Android’s accessibility services. It then establishes contact with a remote server to receive instructions, a list of target financial applications, and HTML overlays to steal credentials.
Crocodilus also targets cryptocurrency wallets by displaying an alert message that urges victims to backup their seed phrases within 12 hours, or risk losing access to their wallets.
This social engineering tactic is designed to trick victims into navigating to their seed phrases, which are then harvested through the abuse of accessibility services, allowing the threat actors to gain control of the wallets and drain the assets.
ThreatFabric notes that “the malware runs continuously, monitoring app launches and displaying overlays to intercept credentials. It monitors all accessibility events and captures all elements displayed on the screen.”
This enables the malware to log all activities performed by the victims on the screen and trigger a screen capture of the contents of the Google Authenticator application.
Crocodilus has the ability to conceal malicious actions on the device by displaying a black screen overlay and muting sounds, ensuring that the victims remain unaware of the malware’s presence.
The malware’s key features include:
- Launching specified applications
- Self-removal from the device
- Posting push notifications
- Sending SMS messages to all or select contacts
- Retrieving contact lists
- Getting a list of installed applications
- Getting SMS messages
- Requesting Device Admin privileges
- Enabling black overlay
- Updating C2 server settings
- Enabling/disabling sound
- Enabling/disabling keylogging
- Making itself the default SMS manager
ThreatFabric warns that “the emergence of the Crocodilus mobile banking Trojan marks a significant escalation in the sophistication and threat level posed by modern malware.”
“With its advanced Device-Takeover capabilities, remote control features, and the deployment of black overlay attacks from its earliest iterations, Crocodilus demonstrates a level of maturity uncommon in newly discovered threats.”
In a related development, Forcepoint disclosed details of a phishing campaign that employs tax-themed lures to distribute the Grandoreiro banking trojan, targeting Windows users in Mexico, Argentina, and Spain via an obfuscated Visual Basic script.
