Cyber security researchers have discovered a new Android banking malware Crocodile It is mainly designed to target users in Spain and Türkiye.
“Not in the crocodils scene as a simple clone, but as a thorough danger from the beginning, it enters through accessibility logging equipped with modern techniques such as remote control, black screen overlays and advanced data harvesting.”
Along with other banks of its kind, malware is designed to facilitate the device takeover (DTO) and eventually operate fraudulent transactions. Analysis of source codes and dibug messages suggests that the malware writer is Turkish-bound.
Dutch Mobile Safety Company analyzed crocodile artifacts analyzed as Google Chrome (package name: “quizzzical.washbowl.calamity”), which serves as a dropper capable of sustaining Android 13+ restrictions.
Once install and launching, the app allows for accessibility services of Android, after which contact with a remote server is established to obtain further instructions, list of financial applications to be targeted, and HTML overlays are used to steal credentials.
Crocodilus is also capable of targeting the cryptocurrency wallet with an overlay, which instead of serving a fake login page to capture login information, shows a warning message that urges victims to backup their seed phrases within 12, or there is a risk of losing access to their purse.
This social engineering trick is nothing, but the danger actors are a trick to guide the victims to navigate their seed phrases, which is then deducted through misuse of access services, allowing them to achieve full control of purse and drain assets.
“It moves continuously, launchs the monitoring app and displays the overlay to intercept the credit,” the threatening said. “Malware monitors all accessibility events and captures all the elements displayed on the screen.”
This allows malware to log on the screen on the screen, as well as the screen capture of the contents of the Google Authenticator application.
Another feature of crocodylus has the ability to hide malicious tasks on the device by displaying a black screen overlay, as well as ensure muting sounds that they do not take care of anyone by the victims.
Some important features supported by malware are listed below –
- Launch specified applications
- Self-removal with the device
- Post a push notification
- Send SMS message to select all/contacts
- Get the contact list
- Get a list of installed applications
- Get SMS Message
- Request device administrator privilege
- Enable black overlay
- Update c2 server settings
- Enable/disable sound
- Enable/disable Keylogging
- Make yourself a default SMS manager
“The emergence of crocodils mobile banking trojan marks a significant increase in sophistication and danger levels generated by modern malware,” the therfabric.
“With the deployment of black overlay attacks from its advanced device-techover capabilities, remote control features, and black overlay attacks from its early recurrences, the crocodile displays the level of maturity in newly discovered hazards.”
This development comes as a forcepoint, the details of a fishing campaign have been revealed, which is employed to distribute the Grandoro Banking Trojan that targeted Windows users in Mexico, Argentina and Spain, which is through a fragmented visual foundation script.
