New Android Malware “Crocodilus” Attacking Android Devices To Gain Remote Access

A previously undiscovered Android malware, dubbed “Crocodilus,” has been identified by cybersecurity researchers at ThreatFabric.

This sophisticated mobile banking Trojan is engineered to gain remote access to Android devices, enabling threat actors to execute fraudulent activities undetected.

Crocodilus represents a significant evolution in mobile malware, incorporating advanced techniques such as black screen overlays, accessibility logging, and remote control capabilities.

Capabilities and Modus Operandi

Crocodilus is equipped with modern features typical of advanced banking Trojans, including overlay attacks, keylogging, and remote access functionality.

It bypasses Android 13+ restrictions during installation using a proprietary dropper and requests Accessibility Service privileges once installed.

Upon activation, the malware connects to its command-and-control (C2) server to receive instructions for targeting applications and deploying overlays.

These overlays are designed to intercept user credentials by mimicking legitimate app interfaces.

One of its standout features is its ability to log accessibility events comprehensively, capturing all text changes on the victim’s screen.

This capability extends beyond traditional keylogging, allowing Crocodilus to harvest sensitive data such as OTP codes from applications like Google Authenticator.

Using commands like “TG32XAZADG,” the malware captures screen content and sends it to the C2 server, enabling timely theft of authentication codes for unauthorized transactions.

To ensure stealth, Crocodilus employs a black screen overlay that obscures its activities while muting device sounds.

This makes fraudulent operations invisible to victims, further enhancing its effectiveness as a remote access tool.

Links to Known Threat Actors

Initial analysis suggests potential ties between Crocodilus and a known threat actor referred to as “sybra.”

The malware contains tags such as “sybupdate,” which align with previous operations involving Ermac forks like MetaDroid and other mobile malware strains such as Hook and Octo.

However, researchers caution that sybra may be testing Crocodilus as a new product rather than being directly involved in its development.

Debug messages within the source code indicate that the developers are Turkish-speaking, adding another layer of intrigue to its origins.

Crocodilus also employs sophisticated social engineering techniques targeting cryptocurrency wallets.

For example, victims are prompted to back up their wallet keys under the guise of avoiding app resets.

According to the Report, this trick leads users to reveal their seed phrases, which the malware captures using accessibility logging.

With this information, attackers can seize control of victims’ wallets and drain funds entirely.

Although initial campaigns have targeted banks in Spain and Turkey alongside cryptocurrency wallets, researchers anticipate that Crocodilus will expand globally as it evolves.

Its emergence underscores the growing sophistication of mobile malware threats and highlights the inadequacy of basic detection methods in combating such attacks.

Financial institutions are urged to adopt layered security measures that include behavioral analysis and device risk assessments to mitigate risks posed by advanced threats like Crocodilus.

As this Trojan continues to develop, it serves as a stark reminder of the need for vigilance in securing sensitive data against increasingly capable adversaries.

Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates