Security researchers at ThreatFabric have uncovered Crocodilus, a new and highly capable mobile banking Trojan that features modern attack techniques, including remote control, black screen overlays, and advanced data harvesting via accessibility logging.
During routine threat-hunting operations, analysts identified these previously unseen malware samples. Dubbed “Crocodilus” after references left by its developers (who call it “Crocodile”), this Trojan exhibits all the hallmarks of a modern banking malware: overlay attacks, keylogging, remote access, and hidden control capabilities.
ThreatFabric’s initial analysis revealed that Crocodilus seems to be mainly targeting financial institutions in Spain and Turkey, as well as several cryptocurrency wallets. However, researchers say they expect its reach to expand globally as it evolves.
How Crocodilus Works
This scourge operates as a sophisticated Device Takeover banking Trojan, initially installed via a proprietary dropper that bypasses Android 13+ restrictions. Once installed, it requests Accessibility Services permission, giving it deep access to the device.
Once activated, it connects to its command-and-control (C2) server, receiving instructions such as targeted applications and corresponding overlays, and then runs persistently in the background, keeping an eye on app launches and deploying overlays to intercept credentials.
Beyond Keylogging: The Accessibility Logger
One of Crocodilus’ most dangerous features is its Accessibility Logger, which takes traditional keylogging to a new level by monitoring all Accessibility events, allowing the malware to capture every element displayed on the screen, effectively logging all text changes performed by the victim.
According to the researchers, RAT command “TG32XAZADG” triggers a screen capture on the content of the Google Authenticator application. “This, too, is done using the aformentioned Accessibility Logging capabilities. Crocodilus will enumerate all the elements displayed on the screen in Google Authenticator app, capture the text displayed (the name of the OTP code, as well as its value) and send these to the C2, allowing timely theft of OTP codes for the operators of Crocodilus.”
Furthermore, once malicious actors obtain a victim’s personal data and credentials, they can take full control of a victim’s device using built-in remote access, completing fraudulent transactions without detection.
Stealthy Operations and Hidden Remote Access
Crocodilus has yet another layer of deception: it can execute remote access sessions in “hidden” mode by overlaying a black screen on all activities which prevents the victim from noticing unsanctioned actions occurring on their device. Also, the malware mutes the sound on the infected device, so any fraudulent activities stay unnoticed.
Possible Links to Known Threat Actors
Researchers discovered that early Crocodilus samples contained the tag “sybupdate,” which could be a connection to another mobile threat actor known as “sybra.” This group has been linked to Ermac forks like MetaDroid, as well as the Hook and Octo malware strains. However, it is not clear whether “sybra” is the actual developer of Crocodilus or simply an early adopter testing a new tool in the mobile banking Trojan market.
Analysis of the malware’s source code also uncovered debug messages left by the developers, which suggests they are Turkish-speaking.
Manipulating Victims into Handing Over Wallet Keys
One of Crocodilus’ more cunning tactics involves social engineering to extract cryptocurrency wallet credentials. If a victim enters their password or PIN into a compromised application, the malware presents a message encouraging them to back up their wallet key within 12 hours to avoid losing access—a trick that leads victims to navigate to their wallet key, which Crocodilus then captures using the above-mentioned Accessibility Logger. With this access, bad actors can completely empty the victim’s cryptocurrency wallet.
The Rising Threat of Crocodilus
Crocodilus is a significant escalation in the capabilities of mobile banking Trojans, and unlike many newly discovered malware families that take time to mature, the researchers say it has arrived on the scene as a fully developed and highly advanced threat.
Already targeting high-value assets in Spain, Turkey, and cryptocurrency wallets, this threat is set to expand rapidly, with sophisticated Device Takeover techniques, stealthy remote access, and ability to bypass modern security measures making it a formidable challenge for financial institutions and users alike.
The Need for Advanced Security Measures
When threats like Crocodilus rear their ugly heads, it’s becomes clear that traditional, signature-based detection methods are inadequate weapons in the war against modern malware—particularly in their early stages of proliferation. To fight threats of this nature, financial entities should adopt a layered security approach that includes comprehensive device and behavioral risk analysis.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.