Experts Warn of the Sophisticated Crocodilus Mobile Banking Trojan

A new Android trojan called Crocodilus has been discovered by ThreatFabric researchers, exploiting accessibility features to steal banking and crypto credentials. This sophisticated malware targets users primarily in Spain and Turkey, but its global expansion is expected.

Crocodilus enters the scene as a fully-fledged threat from the outset, equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging. Unlike simpler clones, Crocodilus demonstrates a level of maturity uncommon in newly discovered threats, according to ThreatFabric.

The report highlights that Crocodilus mimics modern banking malware, using overlay attacks, keylogging, and remote access. It bypasses Android 13+ restrictions via a dropper, allowing it to connect to a C2 server, monitor app launches, and use overlays to steal credentials.

ThreatFabric states that the malware primarily targets users in Spain and Turkey, with global expansion expected. Crocodilus also supports advanced keylogger capabilities by capturing all Accessibility events and screen elements. The malicious code supports a wide range of bot and RAT commands that allow cybercriminals to fully control an infected device.

Key features of the malware include:

• Crocodilus steals OTP codes from Google Authenticator via Accessibility Logging, enabling account takeovers.
• The malware uses hidden remote access with a black screen overlay and muted sound to conceal fraudulent activities.
• Crocodilus tricks victims into revealing their seed phrase by displaying a fake warning, then logs the text via Accessibility features to steal and drain crypto wallets.

Analysis of the source code suggests that its authors are Turkish-speaking. The emergence of Crocodilus marks a significant escalation in the sophistication and threat level posed by modern malware, according to ThreatFabric. With its advanced Device-Takeover capabilities, remote control features, and deployment of black overlay attacks from its earliest iterations, Crocodilus demonstrates a level of maturity uncommon in newly discovered threats.

ThreatFabric concludes that Crocodilus is clearly engineered to target high-value assets, already observed targeting banks in Spain and Turkey and popular cryptocurrency wallets. The incident highlights the need for users to remain vigilant and take proactive measures to protect themselves against such sophisticated malware.

Follow Me on Social Media

Stay up-to-date with the latest security news and updates by following me on Twitter: @securityaffairs, Facebook, and Mastodon.