Crocodilus malware, a new threat to banking and crypto credentials

A new Android banking trojan dubbed Crocodilus is currently being developed for consumers in Spain and Turkey.

Like other banking trojans, the software facilitates device takeovers, eventually resulting in fraudulent transactions. After analysing the source code and debugging messages, reports also revealed that the malware author speaks Turkish.

Moreover, the malware can pose as Google Chrome and function as a dropper capable of bypassing Android 13+ restrictions.

Once loaded and executed, the malicious software requests authorisation from Android’s accessibility services. It then contacts a remote server for additional prompts, a list of financial applications to target, and HTML overlays to steal passwords.

 

The Crocodilus Android trojan can target crypto wallets.

 

The Crocodilus malware can also target cryptocurrency wallets with an overlay that displays an alert message advising victims to back up their seed phrases within 12 hours or risk losing access to their wallets.

Threat actors use this social engineering approach to redirect victims to their seed words. These words are then harvested by exploiting accessible services, allowing threat actors to take over victims’ wallets and drain their assets.

This capability also enables the virus to track all screen operations conducted by the victims and capture a screenshot of the Google Authenticator app’s contents.

Furthermore, Crocodilus can also conceal malicious activity on the device by presenting a black screen overlay and muting sounds. The malware is also programmed with various sophisticated features, allowing it to take control of an infected device and modify its functionalities.

Once installed, it can start specific apps as instructed by the attacker and even delete itself from the device to avoid discovery.

One of its capabilities also includes sending push alerts, which might lead users to open malicious links or provide additional access. It may also send SMS messages to all or specific contacts, which might be used for phishing or spreading to other devices.

Additional research also observed that it may retrieve contact lists, access stored SMS messages, and obtain a list of installed apps, providing the attacker with important information about the device and its owner.

It can then request Device Admin rights to acquire more control, making it more difficult to uninstall.

Other features include turning music on or off, activating keylogging to record user input, and even becoming the default SMS manager, allowing all text messages to be intercepted or modified.

These capabilities combine to make the malware a significant threat, capable of extended surveillance, data theft, and illegally controlling an infected system. Therefore, online banking users and crypto enthusiasts must be wary of these threats to avoid losing funds.