Android Banking Trojan Crocodilus Rapidly Evolves and Goes Global

A new Android banking trojan, dubbed Crocodilus, has emerged in recent months, rapidly gaining ground and spreading across Europe and South America. Initially discovered as small test campaigns, the malware has now grown into a full-blown attack targeting users worldwide.

Spreading through Malicious Ads on Social Media

Crocodilus spreads through malicious ads on social media platforms, including Facebook. These ads promise fake reward points or offer legitimate-looking banking and shopping apps, luring victims into clicking on them.

Dangerous Features and Enhanced Hiding Tactics

Crocodilus comes packed with dangerous features, including stealing seed phrases, creating fake contacts for scams, and modifying the contact list on an infected device. The malware can add a specified contact to the victim's contact list, enabling social engineering attacks by making fraudulent calls appear legitimate.

A New Variant with Enhanced Obfuscation Techniques

Recent samples of Crocodilus include enhanced obfuscation techniques like code packing and XOR encryption to evade detection. This new variant can now add fake contacts to a victim's phone, making fraudulent calls appear legitimate.

Crocodilus Enhances Focus on Cryptocurrency Wallets

The latest variant enhances its focus on cryptocurrency wallets by adding a parser that extracts seed phrases and private keys. This malicious code delivers clean, high-value data to attackers, enabling easier account takeover and theft of crypto assets directly from targeted wallet apps.

A Truly Global Threat

Crocodilus has extended its reach beyond Turkey and is now targeting users in several European countries, including Poland, as well as South America. The malware poses a significant threat to organizations and individuals alike, requiring proactive security measures to mitigate the risks.

A Call to Action

As Crocodilus continues to evolve, it is essential for organizations and users to stay vigilant and adopt proactive security measures to protect themselves against this increasingly sophisticated malware. Stay informed by following us on Twitter (@securityaffairs) and other social media platforms.