Crocodilus Android banking trojan expands globally

The Crocodilus Android banking trojan has rapidly evolved into a formidable global threat. Initially discovered in Turkey, it has expanded its reach across continents, now targeting users in Europe, South America, North America, Asia, and Africa.

Cybersecurity professionals are increasingly alarmed by its advanced techniques and wide-scale deployment.

 

The Crocodilus malware has now become a global threat after being part of numerous operations in multiple countries.

 

Crocodilus has been detected in over 40 countries, including major economies such as the United States, the United Kingdom, Canada, Germany, Brazil, Russia, and China. Its rapid spread indicates a well-coordinated and evolving campaign, taking advantage of Android users worldwide.

Technical Details

This banking trojan is typically distributed via malicious ads and fake applications that impersonate legitimate services. Once installed, it uses the following advanced tactics:

• Obfuscation and Masquerading: Disguises itself as legitimate apps using obfuscated APKs.
• Overlay Attacks: Displays fake login screens to steal banking credentials.
• Credential Theft: Scrapes credentials from input fields and password stores.
• Contact Hijacking: Exploits contact lists to distribute phishing links and social engineering messages.
• Dropper Techniques: Install additional malicious payloads after gaining initial access.

New Capabilities

Recent variants have introduced more sophisticated features, including:

• Extraction of cryptocurrency wallet seed phrases.
• Social engineering campaigns via compromised contact lists.

MITRE ATT&CK Mapping Crocodilus leverages multiple techniques outlined by MITRE ATT&CK:

• T1566.002 – Spearphishing Link
• T1036 – Masquerading
• T1027 / T1446 – Obfuscation
• T1555 – Credentials from Password Stores
• T1078 – Valid Accounts
• T1411 – Input Capture
• T1407 – Execute Malicious Apps

Indicators of Compromise (IOCs)

Domains:

• rentvillcr[.]homes
• rentvillcr[.]online

SHA256 Hashes:

• 6d55d90d021b0980528f56d040e78fa7b85a96f5c244e23f330f24c8e80c1cb2
• fb046b7d0e385ba7ad15b766086cd48b4b099e612d8dd0a460da2385dd31e09e

Recommendations

• Avoid downloading apps from untrusted sources.
• Use endpoint protection solutions for Android devices.
• Educate users about phishing and fake applications.

Crocodilus represents a growing threat in the Android malware landscape. Its ability to adapt and expand globally underscores the importance of proactive mobile security measures. Organisations and users must remain vigilant and updated with the latest threat intelligence.