Cybersecurity researchers have identified a new Android banking malware named Crocodilus, which primarily targets users in Spain and Turkey
According to ThreatFabric, Crocodilus is not just another malware variant but a sophisticated, fully developed threat equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting through accessibility logging.
Like other banking trojans, Crocodilus enables device takeover (DTO) to facilitate fraudulent transactions. Analysis of its source code and debug messages suggests that the malware's creator is Turkish-speaking. It disguises itself as Google Chrome (with the package name: "quizzical.washbowl.calamity") and functions as a dropper capable of bypassing Android 13+ security restrictions.
Once installed, the app requests accessibility service permissions, allowing it to communicate with a remote command-and-control (C2) server. The malware then receives instructions, a list of financial applications to target, and HTML overlays designed to steal user credentials.
Crocodilus also targets cryptocurrency wallets using an overlay that does not display a fake login page. Instead, it shows a deceptive alert warning victim to back up their seed phrases within 12 hours, or they risk losing access to their wallets. This is a social engineering trick designed to lure victims into revealing their seed phrases, which the malware then captures via accessibility service abuse. With this information, attackers gain full control of the wallets and drain their assets.
ThreatFabric explains that the malware runs continuously, monitoring app launches and using overlays to intercept login credentials. It tracks all accessibility events and records everything displayed on the screen. Additionally, it can capture screen contents from Google Authenticator, compromising multi-factor authentication (MFA) security.
One of its more stealthy capabilities include displaying a black screen overlay and muting system sounds, ensuring that its activities remain undetected by victims.
Key features of Crocodilus:
- Launch specified applications
- Self-removal from the device
- Post push notifications
- Send SMS messages to selected/all contacts
- Retrieve contact lists
- Access installed applications
- Read SMS messages
- Request Device Admin privileges
- Enable black overlay attacks
- Modify C2 server settings
- Enable/disable sound
- Enable/disable keylogging
- Set itself as the default SMS manager
ThreatFabric warns that Crocodilus represents a major leap in mobile banking malware sophistication. Unlike most newly discovered trojans, it immediately deploys advanced device takeover techniques, remote control features, and black overlay attacks, making it a highly mature and dangerous threat.
This discovery coincides with a phishing campaign uncovered by Forcepoint, where cybercriminals use tax-themed scams to distribute the Grandoreiro banking trojan. This Windows-targeted malware is spreading in Mexico, Argentina, and Spain via obfuscated Visual Basic scripts.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
