NEW ANDROID TROJAN ‘CROCODILUS’ EXPLOITS ACCESSIBILITY TO STEAL BANKING AND CRYPTO CREDENTIALS
A New Threat in Mobile Security
Cybersecurity researchers have identified a new Android banking malware called Crocodilus. Unlike common banking trojans, Crocodilus arrives as a fully-developed threat with advanced features like remote control, black screen overlays, and accessibility logging.
According to ThreatFabric, this malware facilitates device takeover (DTO), allowing attackers to conduct fraudulent transactions. An analysis of its source code and debug messages suggests that the malware author is Turkish-speaking.
How Crocodilus Operates
The malware disguises itself as Google Chrome (package name: quizzical.washbowl.calamity) to bypass Android 13+ security restrictions. Once installed, it requests accessibility permissions to interact with a remote server, which provides further instructions on:
- Targeted financial applications
- HTML overlays to steal credentials
Crocodilus also targets cryptocurrency wallets by displaying fake alert messages urging victims to back up their seed phrases within 12 hours or risk losing access. This tactic lures users into revealing their seed phrases, which are then harvested using accessibility logging.
Malicious Capabilities
Once active, Crocodilus monitors all app launches and overlays fake login screens to steal credentials. The malware also logs user activities and captures screen content, including Google Authenticator codes.
Additionally, it employs black screen overlays and sound muting to conceal its activities. Some of its key capabilities include:
- Launching specified applications
- Self-removal from devices
- Sending SMS messages
- Retrieving contact lists
- Accessing installed apps
- Requesting Device Admin privileges
- Enabling keylogging
- Setting itself as the default SMS manager
A New Era of Banking Malware
ThreatFabric warns that Crocodilus represents a major escalation in mobile banking malware sophistication, with advanced Device Takeover (DTO) capabilities and black overlay attacks. Its high level of maturity makes it a formidable threat.
Related Cyber Threats
This development comes alongside the discovery of a phishing campaign distributing the Grandoreiro banking trojan in Mexico, Argentina, and Spain. Attackers use tax-themed emails and an obfuscated Visual Basic script to infect Windows devices.
What you can do: Mitigation and Protection
- Be cautious of apps requesting accessibility permissions.
- Use trusted security solutions for mobile device protection.
- Keep your Android updated and avoid downloading apps from unverified sources.
- Enable multi-factor authentication (MFA) to secure financial accounts.
Stay Safe, Stay Vigilant
As the cybersecurity landscape continues to evolve, it is critical for organizations to remain proactive in defending against sophisticated, multi-stage attacks like this one. By staying informed and implementing comprehensive security measures, businesses can better protect themselves from increasingly complex threats.
