Cyber Security News

“Crocodilus” A New Malware Targeting Android Devices for Full Takeover

Researchers have uncovered a dangerous new mobile banking Trojan dubbed Crocodilus actively targeting financial institutions and cryptocurrency platforms.

The malware employs advanced techniques like remote device control, stealthy overlays, and social engineering to steal sensitive data, marking a significant escalation in mobile threat sophistication.

Early campaigns focus on banks in Spain and Turkey, but experts warn of imminent global expansion as the malware evolves.

Crocodilus Debuts With Advanced Device-Takeover Capabilities

Crocodilus distinguishes itself from older banking Trojans like Anatsa or Octo by incorporating “hidden” remote control features from its inception.

Once installed via a dropper that bypasses Android 13+ security, the malware abuses Accessibility Services to monitor device activity and deploy malicious overlays.

These overlays mimic legitimate banking apps, tricking users into entering credentials, which are harvested in real time.

A novel “black screen overlay” conceals fraudulent transactions by masking the device screen while muting audio, ensuring victims remain unaware of unauthorized activities.

Crocodilus also uses Accessibility Logging a superset of traditional keylogging to capture every text change and UI element displayed, including one-time passwords (OTPs) from apps like Google Authenticator. This enables attackers to bypass multi-factor authentication seamlessly.

Evidence within Crocodilus’ code points to Turkish-speaking developers, with debug messages and tags like “sybupdate” suggesting potential links to “sybra”—a threat actor previously linked to Ermac, Hook, and Octo malware variants.

However, researchers caution that “sybra” could be a customer testing Crocodilus rather than its creator, highlighting the malware’s likely availability in underground markets.

The Trojan’s infrastructure already supports dynamic targeting, allowing operators to push updated overlay templates and app target lists via its C2 server.

Early targets include major Spanish banks, Turkish financial apps, and cryptocurrency wallets like Bitcoin Wallet and Trust Wallet.

ThreatFabric anticipates rapid diversification of targets as Crocodilus gains traction among cybercriminals.

Social Engineering Lures Victims into Surrendering Crypto Keys

In a devious twist, Crocodilus manipulates cryptocurrency users into voluntarily revealing wallet recovery phrases.

After stealing a wallet’s PIN via an overlay, the malware displays a fake warning: “Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset…”

Panicked victims then navigate to their seed phrase, which Accessibility Logger captures and transmits to attackers, which grants full control over wallets, enabling instant asset theft.

According to the Report, Crocodilus’ rapid maturation underscores the inadequacy of traditional antivirus tools against modern banking Trojans.

ThreatFabric urges financial institutions to adopt behavior-based detection and device risk profiling to identify compromised devices.

Users are advised to avoid sideloading apps, scrutinize app permissions, and distrust urgent security warnings without verification.

As mobile threats grow more sophisticated, the battle against fraud increasingly hinges on disrupting the social engineering tactics that make tools like Crocodilus devastatingly effective.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Kaaviya

Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Recent Posts

Kentico Xperience CMS XSS Vulnerability Allows Remote Code Execution

Kentico Xperience CMS, a widely used platform designed for enterprises and organizations, is under scrutiny…

22 minutes ago

LensDeal Data Breach Exposes 100,000 Customers’ Personal Information

A major data breach involving LensDeal, a Netherlands-based contact lens supplier, has reportedly exposed the…

33 minutes ago

Apple Issues Warning on Three 0-Day Vulnerabilities Under Active Exploitation

Apple has issued an urgent security advisory concerning three critical zero-day vulnerabilities – CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085 – which…

49 minutes ago

Microsoft Discovers GRUB2, U-Boot, and Barebox Bootloader Flaws with Copilot

Microsoft has disclosed the discovery of multiple critical vulnerabilities within the GRUB2, U-Boot, and Barebox…

52 minutes ago

Rockwell Automation Vulnerability Allows Attackers to Execute Arbitrary Commands

Rockwell Automation has identified a critical flaw in its Verve Asset Manager software, exposing industrial systems to…

3 hours ago

Check Point Confirms Data Breach, Says Leaked Information is ‘Old’

Cybersecurity giant Check Point has confirmed that a recent post on a notorious dark web…

5 hours ago