Sunday, April 27, 2025
HomeAndroid"Crocodilus" A New Malware Targeting Android Devices for Full Takeover

“Crocodilus” A New Malware Targeting Android Devices for Full Takeover

Published on

SIEM as a Service

Follow Us on Google News

Researchers have uncovered a dangerous new mobile banking Trojan dubbed Crocodilus actively targeting financial institutions and cryptocurrency platforms.

The malware employs advanced techniques like remote device control, stealthy overlays, and social engineering to steal sensitive data, marking a significant escalation in mobile threat sophistication.

Early campaigns focus on banks in Spain and Turkey, but experts warn of imminent global expansion as the malware evolves.

- Advertisement - Google News

Crocodilus Debuts With Advanced Device-Takeover Capabilities

Crocodilus distinguishes itself from older banking Trojans like Anatsa or Octo by incorporating “hidden” remote control features from its inception.

Once installed via a dropper that bypasses Android 13+ security, the malware abuses Accessibility Services to monitor device activity and deploy malicious overlays.

These overlays mimic legitimate banking apps, tricking users into entering credentials, which are harvested in real time.

A novel “black screen overlay” conceals fraudulent transactions by masking the device screen while muting audio, ensuring victims remain unaware of unauthorized activities.

Crocodilus also uses Accessibility Logging a superset of traditional keylogging to capture every text change and UI element displayed, including one-time passwords (OTPs) from apps like Google Authenticator. This enables attackers to bypass multi-factor authentication seamlessly.

Evidence within Crocodilus’ code points to Turkish-speaking developers, with debug messages and tags like “sybupdate” suggesting potential links to “sybra”—a threat actor previously linked to Ermac, Hook, and Octo malware variants.

However, researchers caution that “sybra” could be a customer testing Crocodilus rather than its creator, highlighting the malware’s likely availability in underground markets.

The Trojan’s infrastructure already supports dynamic targeting, allowing operators to push updated overlay templates and app target lists via its C2 server.

Early targets include major Spanish banks, Turkish financial apps, and cryptocurrency wallets like Bitcoin Wallet and Trust Wallet.

ThreatFabric anticipates rapid diversification of targets as Crocodilus gains traction among cybercriminals.

Social Engineering Lures Victims into Surrendering Crypto Keys

In a devious twist, Crocodilus manipulates cryptocurrency users into voluntarily revealing wallet recovery phrases.

After stealing a wallet’s PIN via an overlay, the malware displays a fake warning: “Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset…”

Panicked victims then navigate to their seed phrase, which Accessibility Logger captures and transmits to attackers, which grants full control over wallets, enabling instant asset theft.

According to the Report, Crocodilus’ rapid maturation underscores the inadequacy of traditional antivirus tools against modern banking Trojans.

ThreatFabric urges financial institutions to adopt behavior-based detection and device risk profiling to identify compromised devices.

Users are advised to avoid sideloading apps, scrutinize app permissions, and distrust urgent security warnings without verification.

As mobile threats grow more sophisticated, the battle against fraud increasingly hinges on disrupting the social engineering tactics that make tools like Crocodilus devastatingly effective.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

How To Use Digital Forensics To Strengthen Your Organization’s Cybersecurity Posture

Digital forensics has become a cornerstone of modern cybersecurity strategies, moving beyond its traditional...

Building A Strong Compliance Framework: A CISO’s Guide To Meeting Regulatory Requirements

In the current digital landscape, Chief Information Security Officers (CISOs) are under mounting pressure...

Two Systemic Jailbreaks Uncovered, Exposing Widespread Vulnerabilities in Generative AI Models

Two significant security vulnerabilities in generative AI systems have been discovered, allowing attackers to...

New AI-Generated ‘TikDocs’ Exploits Trust in the Medical Profession to Drive Sales

AI-generated medical scams across TikTok and Instagram, where deepfake avatars pose as healthcare professionals...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

How To Use Digital Forensics To Strengthen Your Organization’s Cybersecurity Posture

Digital forensics has become a cornerstone of modern cybersecurity strategies, moving beyond its traditional...

Building A Strong Compliance Framework: A CISO’s Guide To Meeting Regulatory Requirements

In the current digital landscape, Chief Information Security Officers (CISOs) are under mounting pressure...

Two Systemic Jailbreaks Uncovered, Exposing Widespread Vulnerabilities in Generative AI Models

Two significant security vulnerabilities in generative AI systems have been discovered, allowing attackers to...