Tuesday, April 1, 2025
HomeAndroid"Crocodilus" A New Malware Targeting Android Devices for Full Takeover

“Crocodilus” A New Malware Targeting Android Devices for Full Takeover

Published on

SIEM as a Service

Follow Us on Google News

Researchers have uncovered a dangerous new mobile banking Trojan dubbed Crocodilus actively targeting financial institutions and cryptocurrency platforms.

The malware employs advanced techniques like remote device control, stealthy overlays, and social engineering to steal sensitive data, marking a significant escalation in mobile threat sophistication.

Early campaigns focus on banks in Spain and Turkey, but experts warn of imminent global expansion as the malware evolves.

Crocodilus Debuts With Advanced Device-Takeover Capabilities

Crocodilus distinguishes itself from older banking Trojans like Anatsa or Octo by incorporating “hidden” remote control features from its inception.

Once installed via a dropper that bypasses Android 13+ security, the malware abuses Accessibility Services to monitor device activity and deploy malicious overlays.

These overlays mimic legitimate banking apps, tricking users into entering credentials, which are harvested in real time.

A novel “black screen overlay” conceals fraudulent transactions by masking the device screen while muting audio, ensuring victims remain unaware of unauthorized activities.

Crocodilus also uses Accessibility Logging a superset of traditional keylogging to capture every text change and UI element displayed, including one-time passwords (OTPs) from apps like Google Authenticator. This enables attackers to bypass multi-factor authentication seamlessly.

Evidence within Crocodilus’ code points to Turkish-speaking developers, with debug messages and tags like “sybupdate” suggesting potential links to “sybra”—a threat actor previously linked to Ermac, Hook, and Octo malware variants.

However, researchers caution that “sybra” could be a customer testing Crocodilus rather than its creator, highlighting the malware’s likely availability in underground markets.

The Trojan’s infrastructure already supports dynamic targeting, allowing operators to push updated overlay templates and app target lists via its C2 server.

Early targets include major Spanish banks, Turkish financial apps, and cryptocurrency wallets like Bitcoin Wallet and Trust Wallet.

ThreatFabric anticipates rapid diversification of targets as Crocodilus gains traction among cybercriminals.

Social Engineering Lures Victims into Surrendering Crypto Keys

In a devious twist, Crocodilus manipulates cryptocurrency users into voluntarily revealing wallet recovery phrases.

After stealing a wallet’s PIN via an overlay, the malware displays a fake warning: “Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset…”

Panicked victims then navigate to their seed phrase, which Accessibility Logger captures and transmits to attackers, which grants full control over wallets, enabling instant asset theft.

According to the Report, Crocodilus’ rapid maturation underscores the inadequacy of traditional antivirus tools against modern banking Trojans.

ThreatFabric urges financial institutions to adopt behavior-based detection and device risk profiling to identify compromised devices.

Users are advised to avoid sideloading apps, scrutinize app permissions, and distrust urgent security warnings without verification.

As mobile threats grow more sophisticated, the battle against fraud increasingly hinges on disrupting the social engineering tactics that make tools like Crocodilus devastatingly effective.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

Kentico Xperience CMS XSS Vulnerability Allows Remote Code Execution

Kentico Xperience CMS, a widely used platform designed for enterprises and organizations, is under...

LensDeal Data Breach Exposes 100,000 Customers’ Personal Information

A major data breach involving LensDeal, a Netherlands-based contact lens supplier, has reportedly exposed...

Apple Issues Warning on Three 0-Day Vulnerabilities Under Active Exploitation

Apple has issued an urgent security advisory concerning three critical zero-day vulnerabilities – CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085 –...

Microsoft Discovers GRUB2, U-Boot, and Barebox Bootloader Flaws with Copilot

Microsoft has disclosed the discovery of multiple critical vulnerabilities within the GRUB2, U-Boot, and...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Kentico Xperience CMS XSS Vulnerability Allows Remote Code Execution

Kentico Xperience CMS, a widely used platform designed for enterprises and organizations, is under...

LensDeal Data Breach Exposes 100,000 Customers’ Personal Information

A major data breach involving LensDeal, a Netherlands-based contact lens supplier, has reportedly exposed...

Apple Issues Warning on Three 0-Day Vulnerabilities Under Active Exploitation

Apple has issued an urgent security advisory concerning three critical zero-day vulnerabilities – CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085 –...