Cyber Security News

“Crocodilus” A New Malware Targeting Android Devices for Full Takeover

Researchers have uncovered a dangerous new mobile banking Trojan dubbed Crocodilus actively targeting financial institutions and cryptocurrency platforms.

The malware employs advanced techniques like remote device control, stealthy overlays, and social engineering to steal sensitive data, marking a significant escalation in mobile threat sophistication.

Early campaigns focus on banks in Spain and Turkey, but experts warn of imminent global expansion as the malware evolves.

Crocodilus Debuts With Advanced Device-Takeover Capabilities

Crocodilus distinguishes itself from older banking Trojans like Anatsa or Octo by incorporating “hidden” remote control features from its inception.

Once installed via a dropper that bypasses Android 13+ security, the malware abuses Accessibility Services to monitor device activity and deploy malicious overlays.

These overlays mimic legitimate banking apps, tricking users into entering credentials, which are harvested in real time.

A novel “black screen overlay” conceals fraudulent transactions by masking the device screen while muting audio, ensuring victims remain unaware of unauthorized activities.

Crocodilus also uses Accessibility Logging a superset of traditional keylogging to capture every text change and UI element displayed, including one-time passwords (OTPs) from apps like Google Authenticator. This enables attackers to bypass multi-factor authentication seamlessly.

Evidence within Crocodilus’ code points to Turkish-speaking developers, with debug messages and tags like “sybupdate” suggesting potential links to “sybra”—a threat actor previously linked to Ermac, Hook, and Octo malware variants.

However, researchers caution that “sybra” could be a customer testing Crocodilus rather than its creator, highlighting the malware’s likely availability in underground markets.

The Trojan’s infrastructure already supports dynamic targeting, allowing operators to push updated overlay templates and app target lists via its C2 server.

Early targets include major Spanish banks, Turkish financial apps, and cryptocurrency wallets like Bitcoin Wallet and Trust Wallet.

ThreatFabric anticipates rapid diversification of targets as Crocodilus gains traction among cybercriminals.

Social Engineering Lures Victims into Surrendering Crypto Keys

In a devious twist, Crocodilus manipulates cryptocurrency users into voluntarily revealing wallet recovery phrases.

After stealing a wallet’s PIN via an overlay, the malware displays a fake warning: “Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset…”

Panicked victims then navigate to their seed phrase, which Accessibility Logger captures and transmits to attackers, which grants full control over wallets, enabling instant asset theft.

According to the Report, Crocodilus’ rapid maturation underscores the inadequacy of traditional antivirus tools against modern banking Trojans.

ThreatFabric urges financial institutions to adopt behavior-based detection and device risk profiling to identify compromised devices.

Users are advised to avoid sideloading apps, scrutinize app permissions, and distrust urgent security warnings without verification.

As mobile threats grow more sophisticated, the battle against fraud increasingly hinges on disrupting the social engineering tactics that make tools like Crocodilus devastatingly effective.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Kaaviya

Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Recent Posts

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging SocGholish…

9 hours ago

19 APT Hackers Target Asia-based Company Servers Using Exploited Vulnerabilities and Spear Phishing Email

The NSFOCUS Fuying Laboratory’s global threat hunting system identified 19 sophisticated Advanced Persistent Threat (APT)…

9 hours ago

FBI Reports ₹1.38 Lakh Crore Loss in 2024, a 33% Surge from 2023

The FBI’s Internet Crime Complaint Center (IC3) has reported a record-breaking loss of $16.6 billion…

9 hours ago

Fog Ransomware Reveals Active Directory Exploitation Tools and Scripts

Cybersecurity researchers from The DFIR Report’s Threat Intel Group uncovered an open directory hosted at…

10 hours ago

Python-Based Discord RAT Enables Remote Control and Disruption Through a Simple Interface

A newly analyzed Python-based Remote Access Trojan (RAT) has emerged as a significant cybersecurity threat,…

10 hours ago

Advanced Multi-Stage Carding Attack Hits Magento Site Using Fake GIFs and Reverse Proxy Malware

A multi-stage carding attack has been uncovered targeting a Magento eCommerce website running an outdated…

11 hours ago