Full Report
A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access. [...]
Analysis Summary
# Tool/Technique: Crocodilus
## Overview
Crocodilus is a newly identified piece of Android malware designed specifically to steal cryptocurrency wallet keys and banking credentials from infected mobile devices. It achieves this through overlaid screen content manipulation and extensive control over the device's settings and communications.
## Technical Details
- Type: Malware family (Android Banking Trojan/RAT)
- Platform: Android
- Capabilities: Steals crypto wallet keys, intercepts banking credentials via overlays, full remote control (RAT), SMS manipulation, two-factor authentication code capture.
- First Seen: Information on specific first appearance date is not provided in the context, but it is described as "New."
## MITRE ATT&CK Mapping
*Note: Based on the described functionality, the following mappings are inferred:*
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (Implied via malicious sites/third-party stores)
- **TA0005 - Defense Evasion**
- T1453 - Overlay
- **TA0006 - Credential Access**
- T1657 - Steal Application Access (Targeting crypto/banking apps)
- **TA0007 - Discovery**
- T1430 - Data from Local System (Collecting wallet data/SMS)
- **TA0008 - Lateral Movement** (Not explicitly detailed, but SMS forwarding/broadcast capability exists)
- **TA0011 - Command and Control**
- T1433 - Encrypted Channel (Inferred for C2 communication)
## Functionality
### Core Capabilities
* **Accessibility Service Hijacking:** Gains deep access via the Android Accessibility Service to monitor app launches, read screen content, and perform navigation gestures.
* **Overlay Attacks:** Loads fake screen overlays on top of legitimate banking or cryptocurrency applications to capture user inputs (credentials).
* **Remote Access Trojan (RAT) Functionality:** Allows operators to remotely interact with the device UI (tapping, swiping).
* **2FA Capture:** Specifically designed to take screenshots of the Google Authenticator application to capture One-Time Passwords (OTPs).
### Advanced Features
* **SMS Manipulation:** Can send SMS messages (to all contacts or specified numbers) and read incoming SMS messages, potentially bypassing MFA that relies on SMS.
* **Device Privilege Escalation:** Attempts to request Device Admin privileges.
* **Call Management:** Capable of enabling call forwarding.
* **Stealth Mechanisms:** Can activate a black screen overlay and mute the device during malicious actions to conceal activity from the victim.
* **App Launch Control:** Can launch specific applications on command.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: [Droppers downloaded via malicious sites, fake promotions, or third-party stores (APKs)]
- Registry Keys: [Not applicable for Android, but persistence mechanisms would rely on system settings/permissions]
- Network Indicators: [Not explicitly detailed in context, but C2 communication is inferred]
- Behavioral Indicators:
* Requesting and gaining access to Android Accessibility Service permissions.
* Displaying overlays when targeted financial/crypto apps are active.
* Attempting to secure Device Admin privileges.
* Muting sound and displaying a black screen during operations.
## Associated Threat Actors
* Targeting has been observed in **Spain** and **Turkey** currently, suggesting actors focused on these regional user bases.
* [No named threat actor group mentioned in the context.]
## Detection Methods
- Signature-based detection: [Not provided in context, but signatures could target specific file characteristics or C2 traffic patterns.]
- Behavioral detection: Monitoring for any application requesting or misusing the **Accessibility Service** permission, especially when combined with UI interaction and screen overlay creation.
- YARA rules: [Not provided]
## Mitigation Strategies
* **Source Restriction:** Avoid downloading or installing application packages (APKs) from outside the official Google Play Store.
* **Security Settings:** Ensure **Google Play Protect** is always active and scanning the device.
* **Permission Auditing:** Regularly audit application permissions, paying close attention to the Accessibility Service and Device Administrator settings.
## Related Tools/Techniques
* General Android Banking Trojans that utilize overlay techniques for credential harvesting.
* RAT tools capable of remote screen interaction.