Cybersecurity researchers have discovered a new Android banking malware called Crocodilus, which was primarily designed to target users in Spain and Turkey.
“Crocodilus enters the scene not as a simple clone, but as a full-scale threat from the start, with modern techniques like remote control, black screen overlays and advanced data harvesting with accessibility logging,” says Threatfabric.
Like other bank Trojans of this type, malware is designed to promote takeover (DTO) on devices and ultimately carry out fraudulent transactions. Analysis of source code and debug messages revealed that the malware author speaks Turkish.
The Crocodilus artifact, analyzed by Dutch mobile security company Masquerade, acts as Google Chrome (“Quizzical.washbowl.calamity”) that acts as a dropper that can bypass Android 13+ restrictions.
Once installed and launched, the app will request permission to the Android Accessibility Service. The remote server and contacts are then established and requested further instructions, a list of targeted financial applications, and HTML overlays used to steal credentials.
Instead of providing a fake login page to capture login information, Crocodilus can also display an alert message urging victims to back up their seed phrases within 12, or target cryptocurrency wallets with an overlay that displays alert messages that are at risk of losing access to their wallets.
This social engineering trick is nothing more than a trick by a threat actor that will guide the victim to move into a seed phrase. It is harvested by the abuse of accessibility services, thereby gaining complete control of the wallet and allowing assets to be discharged.
“It runs continuously, monitors app launches, displays overlays and intercepts credentials,” Threatfabric said. “Malware monitors all accessibility events and captures all elements that appear on the screen.”
This allows the malware to record all activity performed by the victim on the screen and trigger a screen capture of the content of the Google Authenticator application.
Another feature of Crocodilus is its ability to not only display black screen overlays, but also hide malicious actions on the device, and ensure that the victim is not noticed.
Some of the important features supported by malware are listed below –
Send/select contacts/select self-femo post-push notification SMS messages from the startup device of the specified application
“The emergence of Crocodilus mobile banking Trojans demonstrates the significant escalation of refinement and threat levels brought about by modern malware,” Threatfabric said.
“With advanced device trading capabilities, remote control capabilities, and the deployment of black overlay attacks from the earliest iterations, Crocodilus exhibits a level of maturity that is unusual for newly discovered threats.”
The development comes from what ForcePoint revealed, which was found to have used tax-themed lures to distribute Trojans targeting Windows users in Mexico, Argentina and Spain, targeting Trojans targeting obfuscated visual basic scripts.
Source link
