Cybersecurity experts have identified a new Android malware named Crocodilus, which exploits accessibility features to steal banking and cryptocurrency credentials. Initially discovered in Spain and Turkey, this sophisticated trojan employs advanced techniques such as overlay phishing and remote control to take full control of victims' devices.

Key Takeaways

• Crocodilus targets banking and cryptocurrency apps, primarily in Spain and Turkey.

• It uses social engineering tactics to trick users into revealing sensitive information.

• The malware can bypass Android 13+ security features and operates stealthily.

Overview of Crocodilus Malware

Crocodilus is categorized as a mobile banking trojan that has emerged as a significant threat due to its advanced capabilities. Unlike previous malware variants, Crocodilus is not a mere clone but a fully developed threat that integrates sophisticated features such as:

• Overlay Attacks: Displays fake login screens over legitimate apps to capture user credentials.

• Accessibility Exploitation: Utilizes Android's accessibility services to monitor user actions and capture sensitive data.

• Remote Access: Allows attackers to control the device remotely, enabling them to execute commands and manipulate the device without the user's knowledge.

How Crocodilus Operates

The malware is distributed through a proprietary dropper that circumvents Android's security measures. Once installed, it prompts users to enable accessibility services, which grants it extensive permissions to monitor and control the device. Key operational features include:

1. Credential Theft: Crocodilus injects fake overlays into banking and cryptocurrency applications to capture login credentials and sensitive information.

2. Seed Phrase Harvesting: It tricks users into revealing their cryptocurrency wallet seed phrases by displaying deceptive messages urging them to back up their keys.

3. Data Logging: The malware logs all accessibility events, capturing inputs from users, including OTP codes from authentication apps like Google Authenticator.

Targeted Applications

Crocodilus primarily targets:

• Cryptocurrency Wallets: Such as Trust Wallet, MetaMask, and Exodus.

• Banking Apps: Including various financial institutions in Spain and Turkey.

• Two-Factor Authentication Apps: Like Google Authenticator and Authy.

Evasion Techniques

Crocodilus employs several techniques to evade detection and maintain persistence on infected devices:

• Black Screen Overlay: This feature allows the malware to hide its activities by displaying a black screen while muting device sounds, making it difficult for users to notice any suspicious actions.

• Dynamic Command Execution: The malware can execute a wide range of commands, including sending SMS messages, retrieving contact lists, and even taking screenshots of the device's screen.

Recommendations for Users

To protect against Crocodilus and similar threats, users should adopt the following practices:

• Avoid Unofficial App Stores: Download apps only from trusted sources like Google Play.

• Be Cautious with Accessibility Permissions: Only enable accessibility services for trusted applications.

• Keep Software Updated: Regularly update Android and installed applications to patch vulnerabilities.

• Use Reliable Security Software: Install antivirus applications that can detect and mitigate malware threats.

The emergence of Crocodilus marks a new era in mobile malware sophistication, particularly targeting high-value assets such as banking and cryptocurrency credentials. Its advanced techniques and social engineering tactics pose a significant risk to users, necessitating heightened awareness and proactive security measures to safeguard digital assets.

As cybercriminals continue to adapt their strategies, awareness and education remain crucial in combating these threats. Cybersecurity is critical. BetterWorld Technology offers cutting-edge solutions to combat evolving threats while driving innovation. Protect your business with confidence—contact us today for a consultation!

Sources

• New Android Trojan Crocodilus Abuses Accessibility to Steal Banking and Crypto Credentials, The Hacker News.

• A New Android Malware Remotely Control Your Android Devices, CybersecurityNews.

• the new malware that drains crypto wallets, The Cryptonomist.

• Experts warn of the new sophisticate Crocodilus mobile banking Trojan, Security Affairs.

• New Crocodilus malware steals Android users’ crypto wallet keys, BleepingComputer.