Crocodilus: The Advanced Android Banking Trojan Targeting Spain and Turkey

By /

Listen to this Post

A New and Sophisticated Cyber Threat

Cybersecurity researchers have uncovered a new and highly sophisticated Android banking malware named Crocodilus. Unlike many traditional banking trojans, Crocodilus is not just a clone of existing malware but an advanced, fully developed cyber threat. This malware employs modern techniques like remote control, black screen overlays, and accessibility logging to steal sensitive user data and execute fraudulent transactions.

Currently, Crocodilus is primarily targeting users in Spain and Turkey, with its source code analysis revealing that its author is a Turkish-speaking developer.

How Crocodilus Infiltrates Devices

The malware disguises itself as Google Chrome, using a package name (quizzical.washbowl.calamity) that helps it bypass Android 13+ security restrictions. Once installed, it immediately requests access to Android’s accessibility services, which allows it to monitor user activity and take over the device. After gaining these permissions, Crocodilus connects to a remote server, from which it receives commands and a list of financial applications to target.

Targeting Banking Apps and Cryptocurrency Wallets

Crocodilus has been observed launching HTML overlays to steal credentials from banking applications. However, its capabilities extend beyond just banking appsā€”it can also target cryptocurrency wallets. Instead of simply tricking users into entering their credentials on a fake login page, Crocodilus displays an urgent message, warning victims to back up their seed phrases immediately or risk losing access to their wallets.

This social engineering tactic is designed to manipulate users into exposing their sensitive seed phrases, which the malware then harvests via accessibility service abuse. Once the attackers obtain this information, they gain full control over the wallets, allowing them to drain all stored digital assets.

Stealth and Persistence Techniques

Crocodilus operates continuously in the background, monitoring app launches and displaying overlays to steal credentials in real time. It can also capture everything displayed on the screen, including Google Authenticator codes, making it even more dangerous.

To avoid detection, the malware can:

  • Enable a black screen overlay to make it seem like the device is turned off.
  • Mute sounds to prevent suspicious activity from being noticed.
  • Remove itself from the device remotely to cover its tracks.

Comprehensive Cybercriminal Toolkit

Crocodilus boasts a wide range of malicious functionalities, including:

– Launching specific applications remotely.

  • Sending SMS messages to selected or all contacts.

– Retrieving contact lists and installed applications.

– Intercepting and extracting SMS messages.

– Gaining Device Admin privileges for full control.

– Updating its command-and-control (C2) server settings dynamically.

– Enabling or disabling keylogging and sound.

  • Making itself the default SMS manager, allowing it to hijack incoming messages.

A Growing Threat in Mobile Cybercrime

Security experts from ThreatFabric warn that Crocodilus represents a significant advancement in mobile banking malware. Its early versions already include highly developed device takeover capabilities, remote control features, and black overlay attacksā€”features that are typically found in more mature threats.

This discovery follows a separate cybersecurity alert by Forcepoint, which recently exposed a phishing campaign using tax-themed lures to distribute the Grandoreiro banking trojan. That malware, primarily targeting Windows users in Mexico, Argentina, and Spain, spreads via obfuscated Visual Basic scripts.

What Undercode Says:

The emergence of Crocodilus highlights an alarming trend in the evolution of mobile banking malware. Unlike previous Android trojans that primarily focused on credential theft through fake login pages, Crocodilus takes cybercrime a step further by integrating advanced remote control, real-time interception, and stealth mechanisms.

1. The Shift Toward Device Takeover (DTO)

Older banking trojans relied on phishing pages to collect user credentials. However, Crocodilus doesnā€™t just steal credentialsā€”it takes full control of the device. This means cybercriminals no longer have to manually log in using stolen usernames and passwords; they can directly perform fraudulent transactions as if they were the legitimate user.

2. The Growing Role of Accessibility Service Exploits

By abusing Androidā€™s accessibility features, Crocodilus can:

– Log all user actions.

– Capture authentication codes.

  • Extract sensitive financial information without requiring direct user interaction.

This technique allows attackers to bypass two-factor authentication (2FA), making it harder for victims to protect themselves.

3. Cryptocurrency as a Primary Target

The integration of cryptocurrency theft mechanisms is a notable shift. Instead of just targeting traditional banking apps, Crocodilus actively goes after crypto wallets, using social engineering to manipulate users into revealing their seed phrases. This method bypasses standard security measures, giving cybercriminals full control over digital assets.

4. The Danger of Android 13+ Bypass Techniques

Google has been tightening security restrictions with each Android update. However, Crocodilus demonstrates that malware developers are already finding new ways to bypass these protections. By masquerading as a legitimate app and using clever dropper techniques, it manages to evade security checks.

5. Implications for Cybersecurity Defense

  • Users should be extremely cautious when granting accessibility permissionsā€”this is now the most exploited Android security vulnerability.
  • Financial institutions need to implement better fraud detection systems that monitor for unusual transactions performed via accessibility services.
  • Android security updates must focus on tightening accessibility service controls, as this remains a major entry point for malware.

The sophistication of Crocodilus indicates that mobile banking malware is evolving rapidly. This means cybersecurity professionals, financial institutions, and users must all stay vigilant and proactive in defending against such threats.

Fact Checker Results:

  • Confirmed: Crocodilus actively targets users in Spain and Turkey, with evidence pointing to a Turkish-speaking author.
  • Verified: The malware bypasses Android 13+ restrictions using an app dropper disguised as Google Chrome.
  • Validated: Crocodilus can steal crypto wallet seed phrases, confirming its threat to cryptocurrency users.

References:

Reported By: https://thehackernews.com/2025/03/new-android-trojan-crocodilus-abuses.html
Extra Source Hub:
https://www.pinterest.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

šŸ’¬ Whatsapp | šŸ’¬ TelegramFeatured Image

Explore More: