do son 
Image: ThreatFabric
The mobile threat landscape is constantly evolving, with new and sophisticated malware strains emerging to target vulnerable Android devices. ThreatFabric‘s recent report sheds light on one such threat: a new mobile banking Trojan named Crocodilus. This malware is not just another clone; it’s a “fully-fledged threat from the outset,” equipped with a range of advanced techniques designed to steal credentials and take control of devices.
Analysts uncovered a completely new malware family, dubbed “Crocodilus” based on references left by its developers, who call it “Crocodile”. Despite its novelty, Crocodilus already has the features of a modern banking Trojan, including overlay attacks, keylogging, remote access, and hidden remote control capabilities.
Crocodilus’s modus operandi is consistent with modern Device Takeover banking Trojans. The initial installation is facilitated by a proprietary dropper that bypasses Android 13+ restrictions. Once installed, Crocodilus prompts the user to enable Accessibility Service.
Upon gaining the necessary permissions, the malware connects to its command-and-control (C2) server to receive instructions, such as target application lists and overlays. Crocodilus continuously monitors app launches and displays overlays to intercept user credentials.
Crocodilus employs several methods to steal sensitive information. While it includes a keylogger, ThreatFabric’s report accurately describes it as an “Accessibility Logger.” This means the malware monitors all Accessibility events and captures everything displayed on the screen, effectively logging all text changes made by the victim.
The malware’s capabilities extend beyond simple keylogging. It can execute remote access commands, including one (“TG32XAZADG”) that triggers a screen capture of the Google Authenticator application. By enumerating all elements on the screen, Crocodilus can capture both the names and values of OTP codes, enabling the theft of one-time passwords.
With stolen personal identifiable information (PII) and credentials, attackers can achieve full control of a victim’s device using built-in remote access features. Crocodilus can even make this remote access “hidden” by displaying a black screen overlay, effectively concealing the actions performed by the malware. To further ensure fraudulent activities remain unnoticed, the malware also mutes the device’s sound.
Initial Crocodilus samples contained the tag “sybupdate,” potentially linking it to a known threat actor in the mobile threat landscape, “sybra.” Sybra has been observed operating the Ermac fork “MetaDroid” and using Hook and Octo mobile malware. However, the report suggests that “sybra” might be a customer testing a new product rather than the developer of Crocodilus.
Analysis of the malware’s source code reveals debug messages in Turkish, indicating that the developer(s) are Turkish-speaking.
Crocodilus employs a social engineering trick to deceive victims of cryptocurrency wallet attacks. After a victim enters their password/PIN, an overlay prompts them to “Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset, and you may lose access to your wallet.” This message coerces the victim into navigating to their seed phrase (wallet key), which Crocodilus then harvests using its Accessibility Logger. This allows attackers to seize full control of the wallet and drain its contents.
Its advanced device takeover capabilities, remote control features, and use of black overlay attacks from its early stages demonstrate a level of maturity rarely seen in new threats. Crocodilus targets banks in Spain and Turkey, as well as cryptocurrency wallets, indicating its focus on high-value assets.
