Crocodilus is a new banking malware that evades detection from Google’s play protect.

The Android malware has been specifically targeting to steal sensitive cryptocurrency wallet credentials through social engineering. Its convincing overlay screen warns users to back up their wallet key within 12 hours or risk losing access says security researchers.

Why threat researchers call this trojan ?

Crocodilus includes all the necessary features of modern banking malware: overlay attacks, keylogging, remote access, and “hidden” remote control capabilities. Also the malware is distributed via a proprietary dropper that bypasses Android 13 (and later) security protections as per researchers of Threat fabric.

Unlike any banking trojan which takes over devices, Crocodilus is similar in pattern and uses tactics to load a fake overlay on top of the real app to intercept the victim’s account credentials. These are targeted mostly for banking or cryptocurrency app users.

Another data theft feature of Crocodilus is a keylogger and the malware monitors all Accessibility events and captures all the elements displayed on the screen, i.e. it is an accessibility Logger.

Intricacies of Crocodilus Malware

The modus operandi of the malware makes it easier to preform task to gains access to accessibility service, to unlock access to screen content, perform navigation gestures, monitor for app launches.

The malware also offers remote access Trojan (RAT) functionality, which enables its operators to tap on the screen, navigate the user interface, perform swipe actions.

The malware is fitted with dedicated RAT command to take a screenshot of the Google Authenticator application and capture one-time password codes used for two-factor authentication account protection.

Android users are advised to avoid downloading APKs from outside Google Play and to ensure that Play Protect is always active on their devices.

Researchers discovered source code of malware revealing debug messages left by the developer(s), reveal Turkish speaking.

The Expanding Threat landscape with evolving Modern Malware’s

The Crocodilus malware designed to go after high valued assets that targets cryptocurrency wallets and Banks. These malware can make the defense line up of banking system weak and researchers advise to adopt a layered security approach that includes thorough device and behavior-based risk analysis on their customers’ devices.

Modern malware has the capability to break the security defenses of organization even if they are protected by cutting edge solutions to defend. As the threat landscape expand so are sophisticated attacks rising.

Modern malware can bypass most security solutions, including email filtering, anti-virus applications, sandboxing, and even IPS/IDS and sometime few file-less malware leaves no footprint on your computer and is executed exclusively in run-time memory.

In this sophisticated war against threat criminals enterprise security requires is taking services for active threat hunting and be diligent in scanning files meant for downloads.

To improve enterprise security the important aspects needs to be covered increase usage of multi-layer defenses. Protecting against modern malware is an ongoing effort, and rarely it is “set and forget.” Utilize multiple layers of security, including anti-virus software, network layer protection, secure web gateways, and other tools for best results.

Keep improving your security posture against modern malware is an ongoing effort and includes multiple layers of security. With anti-virus software, advanced network layer protection, secure web gateways, and other tools the security posture at enterprise level increases.

Remember your best defenses can be in trouble, so continue monitoring, adapt and train employees, while using comprehensive multi-layer approach to security.

Source: https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices