Cybersecurity researchers have discovered a new Android banking malware called Crocodilus that’s primarily designed to target users in Spain and Turkey.
“Crocodilus enters the scene not as a simple clone, but as a fully-fledged threat from the outset, equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging,” ThreatFabric said.
As with other banking trojans of its kind, the malware is designed to facilitate device takeover (DTO) and ultimately conduct fraudulent transactions. An analysis of the source code and the debug messages reveals that the malware author is Turkish-speaking.
The Crocodilus artifacts analyzed by the Dutch mobile security company masquerade as Google Chrome (package name: “quizzical.washbowl.calamity”), which acts as a dropper capable of bypassing Android 13+ restrictions.
Once installed and launched, the app requests permission to Android’s accessibility services, after which contact is established with a remote server to receive further instructions, the list of financial applications to be targeted, and the HTML overlays to be used to steal credentials.
Crocodilus is also capable of targeting cryptocurrency wallets with an overlay that, instead of serving a fake login page to capture login information, shows an alert message urging victims to backup their seed phrases within 12, or else risk losing access to their wallets.
This social engineering trick is nothing but a ploy on the part of the threat actors to guide the victims to navigate to their seed phrases, which are then harvested through the abuse of the accessibility services, thereby allowing them to gain full control of the wallets and drain the assets.
“It runs continuously, monitoring app launches and displaying overlays to intercept credentials,” ThreatFabric said. “The malware monitors all accessibility events and captures all the elements displayed on the screen.”
This allows the malware to log all activities performed by the victims on the screen, as well as trigger a screen capture of the contents of the Google Authenticator application.
Another feature of Crocodilus is its ability to conceal the malicious actions on the device by displaying a black screen overlay, as well as muting sounds, thereby ensuring that they remain unnoticed by the victims.
Some of the important features supported by the malware are listed below –
- Launch specified application
- Self-remove from the device
- Post a push notification
- Send SMS messages to all/select contacts
- Retrieve contact lists
- Get a list of installed applications
- Get SMS messages
- Request Device Admin privileges
- Enable black overlay
- Update C2 server settings
- Enable/disable sound
- Enable/disable keylogging
- Make itself a default SMS manager
“The emergence of the Crocodilus mobile banking Trojan marks a significant escalation in the sophistication and threat level posed by modern malware,” ThreatFabric said.
“With its advanced Device-Takeover capabilities, remote control features, and the deployment of black overlay attacks from its earliest iterations, Crocodilus demonstrates a level of maturity uncommon in newly discovered threats.”
The development comes as Forcepoint disclosed details of a phishing campaign that has been found employing tax-themed lures to distribute the Grandoreiro banking trojan targeting Windows users in Mexico, Argentina, and Spain by means of an obfuscated Visual Basic script.
