Crocodilus: An Advanced Android Malware Takes Remote Control of Your Banking Apps

A new Android malware known as Crocodilus has emerged and is causing a stir in the world of cybersecurity.

Crocodilus manipulates victims with fake wallet backup prompts to steal seed phrases.

Unlike other mobile banking threats such as Anatsa and Octo that evolved gradually, Crocodilus is a highly sophisticated threat from the start. This malware was discovered by researchers from ThreatFabric while doing their routine checks, and they described it as a significant step forward in mobile malware.

The researchers say that Crocodilus functions as a “device takeover” Trojan, meaning the attackers can take control of the infected Android devices from a distance.

The malware has different techniques of depriving victims of their information including overlay attacks, keylogging, and even utilizing Android’s Accessibility Services to record user activities. This type of malware is mainly used to steal bank and crypto account credentials.

After being installed on a victim’s phone, the malware asks for permission to access the phone’s accessibility services. Then, the malware establishes a connection with a remote server to receive further instructions and a list of apps to target.

As a consequence, it develops fake login pages known as overlays which are placed on top of the actual banking and cryptocurrency applications, aimed at stealing users’ login credentials. ThreatFabric explains that these attacks have been observed mainly in Spain and Turkey, but they expect the malware to spread globally.

What makes Crocodilus different from other malware is that it can collect information that is not limited to passwords. This feature is called an “Accessibility Logger,” and it captures everything that is displayed on the phone’s screen, including OTPs from applications like Google Authenticator.

This makes it possible for attackers to obtain sensitive information including the name and the value of the OTPs that are needed to secure transactions.

The malware also has a “hidden mode” where the malware displays a black screen overlay on the device so that the actions of the attackers cannot be seen. It also mutes sounds on the device so that fraudulent transactions go unobserved. The researchers say that this makes it very difficult for the victims to realize that their devices are being compromised.

Crocodilus is not only for financial apps, it also works with cryptocurrency wallets. When it gets the login credentials, the malware will use social engineering tactics to ask the victims to disclose their wallet’s seed phrase.

For instance, a fake notification pops up and tells the user to back up the wallet key in the next 12 hours or else they will be locked out. When the victim complies with the prompt, Crocodilus steals the seed phrase and hands the attacker the keys to the wallet, which they can then drain.

At first glance, it seems that the malware’s code is connected to a well-known Turkish-speaking cyber group, but the link is not confirmed.

As mobile threats are always on the rise, it is evident that malware like Crocodilus is a clear indication of how advanced malware can be. With its capabilities of device takeover, it is also a sophisticated data harvesting tool and can work in the background, making it a threat that should be taken seriously.

Financial institutions and cryptocurrency platforms have to improve their security measures to be able to counter such sophisticated types of attacks.