A newly identified mobile banking trojan targeting Android users has advanced device takeover capabilities and remote-control functionality, fraud prevention firm ThreatFabric warns.
Dubbed Crocodilus, the trojan contains powerful capabilities, including remote control of the infected device, advanced data harvesting, keylogging, and support for overlay attacks. It has been observed targeting users in Spain and Turkey.
The malware is installed using a proprietary dropper that can bypass restrictions implemented in Android 13 and newer platform iterations, and requests Accessibility Services permissions, which allow it to take over the infected device.
After obtaining the necessary permissions, the threat connects to its command-and-control (C&C) server, which provides it with instructions regarding the targeted applications and overlays to be used.
Crocodilus runs continuously in the background, monitoring the launched applications and displaying overlays to steal the victim’s credentials.
The malware performs keylogging by monitoring all accessibility events to capture elements displayed on the screen, which allows it to log all text modifications made by the user. This also allows it to capture the screen when Google Authenticator is active.
“Crocodilus will enumerate all the elements displayed on the screen in Google Authenticator app, capture the text displayed (the name of the OTP code, as well as its value) and send these to the C&C, allowing timely theft of OTP codes for the operators,” ThreatFabric explains.
Courtesy of built-in remote access capabilities, the trojan allows operators to use stolen credentials and other information to take full control of the infected device and perform fraudulent transactions on the victim’s behalf.
According to ThreatFabric, the malware can display a black screen overlay and mute the sound to hide its malicious activities.
When detecting interaction with a cryptocurrency wallet, after harvesting the password/PIN, the malware displays a message urging the victim to back up their wallet key. This social engineering trick enables the malware’s operators to harvest the wallet key and drain the funds.
Crocodilus, ThreatFabric says, is likely operated by a threat actor named ‘sybra’, which was previously associated with the MetaDroid (a variant of Ermac), Hook, and Octo Android malware.
However, it appears to have been created by a different threat actor, likely a Turkish-speaking developer, based on debug messages found in the code.
“Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” a Google spokesperson said in an emailed comment.
Related: North Korean Hackers Distributed Android Spyware via Google Play
Related: BadBox Botnet Powered by 1 Million Android Devices Disrupted
Related: 1,000 Apps Used in Malicious Campaign Targeting Android Users in India
Related: FireScam Android Malware Packs Infostealer, Spyware Capabilities
