A new Android banking malware called Crocodilus has emerged, demonstrating advanced capabilities for targeting financial institutions and cryptocurrency wallets, primarily in Spain and Turkey. The malware uses a specialized dropper designed to circumvent Android 13+ runtime permission restrictions and security measures, marking a significant evolution in mobile banking threats during a 260 percent surge in banking malware attacks observed in 2024.
Once installed, Crocodilus prompts users to enable Accessibility Services, establishing a persistent connection to its command-and-control server. The technique mirrors methods seen in other recent threats like the DocSwap malware, which similarly exploited Android’s Accessibility features for malicious purposes. The malware operates as a device-takeover Trojan with a comprehensive Remote Access Trojan (RAT) module that enables complete device control.
A distinctive feature of Crocodilus is its “hidden” mode, which deploys a full-screen black overlay and mutes device audio to conceal unauthorized operations. The malware’s Accessibility Logger capability monitors all UI elements and events, including text inputs, button labels, and dynamic content such as one-time passwords from authentication apps.
The malware specifically targets cryptocurrency wallet users through social engineering tactics, following patterns seen in recent sophisticated crypto-targeting schemes that have resulted in multi-million dollar losses. It displays a deceptive prompt warning users to back up their wallet key within 12 hours to avoid losing access. The manipulation leads victims to expose their seed phrases, which the malware captures through its Accessibility Logger feature.
Technical analysis has revealed potential connections to the “sybra” threat actor, previously associated with the Ermac fork “MetaDroid” and campaigns involving Hook and Octo malware. Debug strings discovered in the malware’s source code contain Turkish language elements, suggesting possible Turkish-speaking developers.
While current campaigns focus on financial institutions in Spain and Turkey, along with major cryptocurrency wallets, security researchers anticipate broader targeting as the malware’s infrastructure expands. The threat shows similarities to the BRATA banking Trojan, which initially targeted specific regions before expanding globally. Recommended mitigation strategies include behavioral analysis of app interactions, runtime device integrity verification, and monitoring of network traffic to command-and-control endpoints.
Sources: Cybersecurity News, The Hacker News, Security Affairs
Follow Us