Full Report
Cybersecurity researchers have discovered a new Android banking malware called Crocodilus that's primarily designed to target users in Spain and Turkey. "Crocodilus enters the scene not as a simple clone, but as a fully-fledged threat from the outset, equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging,"
Analysis Summary
# Tool/Technique: Crocodilus
## Overview
Crocodilus is a new, fully-fledged Android banking Trojan designed primarily to target users in Spain and Turkey. Its main objective is to achieve Device Takeover (DTO) and conduct fraudulent financial transactions. It achieves this by leveraging sophisticated techniques, most notably the abuse of Accessibility Services.
## Technical Details
- Type: Malware family (Banking Trojan)
- Platform: Android (specifically mentioned as capable of bypassing restrictions on Android 13+)
- Capabilities: Remote control, black screen overlays, advanced data harvesting via accessibility logging, credential stealing via HTML overlays, cryptocurrency wallet takeover.
- First Seen: Information not explicitly stated in the text, but the article is dated March 29, 2025.
## MITRE ATT&CK Mapping
The primary mechanism described involves abusing the Accessibility Service, which provides high levels of system control:
- **TA0005 - Defense Evasion**
- **T1484 - Hide Artifacts** (Implied through techniques like displaying black screen overlays to conceal actions)
- **TA0010 - Collection**
- **T1430 - Input Capture**
- **T1430.001 - Keylogging** (Implied by monitoring and capturing all accessibility events)
- **T1485 - Screen Capture** (Explicitly mentioned ability to trigger screen capture of Google Authenticator)
- **TA0008 - Lateral Movement** (Achieved via DTO)
- **TA0011 - Command and Control**
- **T1429 - Remote Access Software** (Implied by remote control capabilities)
*Note: The core mechanism relies heavily on abusing permissions granted through Accessibility Services, which maps broadly across Collection and Defense Evasion tactics.*
## Functionality
### Core Capabilities
- **Accessibility Service Abuse:** Monitors all accessibility events to log victim activities and capture displayed screen elements, effectively stealing credentials from overlaid forms.
- **Overlay Attacks:** Deploys HTML overlays on legitimate financial applications to harvest login credentials.
- **Cryptocurrency Wallet Targeting:** Uses a social engineering ploy (alerting victims to back up seed phrases) to trick users into navigating to seed phrase entry fields, which are then harvested.
- **Device Control:** Can launch specified applications and request Device Admin privileges.
### Advanced Features
- **Concealment:** Displays a black screen overlay and mutes sounds during malicious activities to ensure victim unawareness.
- **Self-Removal:** Capability to delete itself from the device.
- **Data Exfiltration:** Can send SMS messages to selected contacts and retrieve contact lists and SMS messages.
- **Persistence/Updates:** Can update its Command and Control (C2) server settings.
- **SMS Management:** Can make itself the default SMS manager.
## Indicators of Compromise
- File Hashes: [Not available in the provided text]
- File Names: Commonly masquerades as **Google Chrome**.
- Package Name (Example): `quizzical.washbowl.calamity`
- Registry Keys: [Not applicable/Not available for Android]
- Network Indicators: Contacts a remote server upon installation to receive instructions, target lists, and overlays. (Specific C2 addresses are defanged: [C2 server information not specified])
- Behavioral Indicators: Requests Accessibility Service permission; monitors and logs accessibility events; displays black screen overlays; attempts to elevate privileges via Device Admin.
## Associated Threat Actors
- Threat actors are suspected to be **Turkish-speaking**, based on analysis of source code and debug messages.
## Detection Methods
Detailed hashes or specific signatures were not provided in the text, but internal monitoring focuses on:
- Signature-based detection: Not specified.
- Behavioral detection: Monitoring for applications requesting **Accessibility Service** permissions, especially when coupled with actions like disabling sound, enabling black screen overlays, or attempting to set itself as the default SMS manager.
- YARA rules: [Not available in the provided text]
## Mitigation Strategies
- **Deny Accessibility Permissions:** Advise users against granting Accessibility Service permissions to non-official or suspicious applications.
- **Application Sourcing:** Only install applications from the official Google Play Store.
- **User Vigilance:** Educate users to be wary of unsolicited alerts regarding financial or crypto wallets (e.g., seed phrase backup urgencies).
- **System Hardening:** Ensure devices are running the latest Android versions to benefit from improved security restrictions (like those affecting newer Android versions).
## Related Tools/Techniques
- Other Android **banking trojans** that focus on Device Takeover (DTO).
- Malware leveraging **overlay attacks** and **accessibility abuse** (e.g., Octo, Brokewell mentioned in context).