Crocodilus Banking Trojan

Cybersecurity experts have uncovered a new Android banking malware named Crocodilus, which primarily targets users in Spain and Turkey. Unlike many emerging threats that start as rudimentary versions of existing malware, Crocodilus enters the cybercrime landscape as a fully developed, sophisticated banking Trojan.

Advanced Techniques for Maximum Damage

Crocodilus employs modern techniques such as:

• Remote control capabilities
• Black screen overlays to hide its presence
• Advanced data harvesting through accessibility logging

Like other banking Trojans, it aims to take over a Device (DTO) and allow cybercriminals to conduct fraudulent transactions. A deeper analysis of its source code and debug messages suggests that the malware author is Turkish-speaking.

Disguised as Google Chrome to Evade Detection

Crocodilus is designed to bypass Android 13+ security restrictions by masquerading as Google Chrome (package name: 'quizzical.washbowl.calamity'). Once installed, the fake application requests accessibility service permissions, which grants it complete control over the device.

Upon activation, it connects to a remote Command-and-Control (C2) server to:

• Receive further instructions
• Fetch the list of targeted financial applications
• Deploy HTML overlays to steal user credentials

Cryptocurrency Wallets in the Crosshairs

Crocodilus doesn't just stop at banking applications—it also targets cryptocurrency wallets. Instead of using a fake login page, it tricks victims with a fraudulent backup alert, warning them to save their seed phrase within 12 hours or risk losing their assets.

This social engineering tactic manipulates victims into navigating to their seed phrases, which are then harvested via accessibility service abuse. With this information, the attackers can seize control of the wallet and drain its funds.

Continuous Monitoring and Credential Theft

Crocodilus is designed to run persistently in the background, keeping a close watch on application launches and triggering overlays to intercept credentials. It can:

• Monitor all accessibility events
• Capture all elements displayed on the screen
• Take screenshots of Google Authenticator to bypass two-factor authentication

By doing so, Crocodilus ensures that its operators do not notice any login activity.

Stealth Mode: Hiding Harmful Activities

To remain undetected, Crocodilus employs various stealth tactics, including:

• Displaying a black screen overlay to hide unauthorized activities
• Muting sounds to prevent victims from hearing suspicious alerts

These measures make it much harder for victims to realize that their devices have been compromised.

A Powerful Arsenal of Damaging Features

Crocodilus is designed with a range of threatening capabilities that allow it to take complete control of an infected device. It can launch specific applications, remove itself from the device to avoid detection and send push notifications to manipulate user behavior. The malware also has the ability to send SMS messages to selected or all contacts, retrieve contact lists, and fetch a list of installed applications, giving attackers a comprehensive view of the victim's digital footprint.

In addition, Crocodilus can read SMS messages, request Device Admin privileges to gain more profound control and activate a black overlay mode to conceal its unsafe activities. It regularly updates its Command-and-Control (C2) server settings, ensuring it can adapt and respond to new instructions from its operators. To further its stealth operations, it can enable or disable sound, toggle keylogging to capture user inputs, and even make itself the default SMS manager, allowing it to intercept and manipulate communications undetected.

Crocodilus: A New Mobile Banking Threat

The emergence of Crocodilus marks an unsafe escalation in mobile banking malware sophistication. Unlike many newly discovered threats, Crocodilus is mature from the outset, leveraging advanced Device-Takeover techniques, remote control features, and black overlay attacks to compromise users.

With its stealthy execution and robust set of features, this malware sets a new precedent for Android banking threats, proving that cybercriminals are constantly improving their tactics to stay ahead of security measures.