New Android Trojan Crocodilus Steals Banking and Crypto App Data

By Ava McKinneyOnline Safety

New Android Trojan Crocodilus Steals Data from Banking and Cryptocurrency Apps

A new Android banking malware called Crocodilus is targeting users by forcing them to provide seed phrases for their cryptocurrency wallets under the pretense of creating a backup. The trojan also has capabilities for device takeover, data collection, and remote control.

According to experts at ThreatFabric, the malware spreads via its own dropper, which bypasses the security features of Android 13 and newer versions. The dropper installs the malicious software without triggering Play Protect and also circumvents restrictions on accessing the Accessibility Service.

How Crocodilus Works

Once launched, Crocodilus gains access to the Accessibility Service, allowing it to view screen content, perform navigation gestures, and monitor app launches. When a victim opens a targeted banking or cryptocurrency app, Crocodilus displays a fake overlay on top of the legitimate app to steal login credentials.

The trojan uses social engineering to trick victims into revealing their crypto wallet seed phrases. It presents a special overlay warning users that they must “save the wallet key in settings within 12 hours” or risk losing access forever.

“This trick forces the victim to access their seed phrase (wallet key), allowing Crocodilus to capture the text using the Accessibility Logger,” researchers explain. “With this information, attackers can gain full control over the wallet and completely drain it.”

Targeted Regions and Infection Methods

Crocodilus has mainly targeted users in Turkey and Spain, focusing on banking accounts in these countries. Debug messages suggest the malware originates from Turkey.

The initial infection method is still unclear. Typically, such campaigns trick victims into downloading droppers via malicious websites, fraudulent social media ads or SMS messages, and third-party app stores.

Malware Capabilities

The bot component of Crocodilus supports 23 commands that it can execute on an infected device, including:

  • Enabling call forwarding
  • Launching specific apps
  • Sending push notifications
  • Sending SMS messages to all contacts or a specified number
  • Receiving SMS messages
  • Requesting administrator privileges
  • Activating a black overlay
  • Turning sound on or off
  • Locking the screen
  • Setting itself as the default SMS manager

Crocodilus also functions as a remote access trojan (RAT), allowing its operators to interact with the device’s screen, navigate the user interface, perform swipes, and more.

There is a special command for taking screenshots within the Google Authenticator app and intercepting one-time codes used for two-factor authentication. During these actions, Crocodilus operators can activate a black overlay or mute the device to hide their activity from the victim and create the impression that the device is locked.

Potential for Expansion

Although the Crocodilus campaign is currently limited to Spain and Turkey, researchers warn that the trojan could expand its reach and add new apps to its list of targets.

Leave a Reply