A new mobile malware tool that security vendors are tracking as “Crocodilus” is stealthily slithering onto Android devices around the world via fake banking apps, phony browser updates, and malicious ads promising fake rewards.
ThreatFabric’s mobile threat intelligence team firm spotted Crocodilus in test campaigns in March and shortly after in live campaigns that mainly targeted Android users in Turkey. Since then, the malware has surfaced on devices in Poland, Spain, South America, and parts of Asia, signaling a sharp uptick in both its reach and sophistication.
Updated Features
The malware now has an updated feature set, which includes the ability to create new contacts in the victim’s address book, likely for social engineering, and to automatically harvest cryptocurrency wallet seed phrases from infected Android devices.
“The latest campaigns involving the Crocodilus Android banking Trojan signal a concerning evolution in both the malware’s technical sophistication and its operational scope,” ThreatFabric said in a blog post this week. “With newly added features, Crocodilus is now more adept at harvesting sensitive information and evading detection.” Notably, the malware has also, in the process, evolved from a regional to a truly global threat, the security vendor said.
The Android ecosystem faces a rising tide of malware like Crocodilus. In many instances threat actors have sneaked them onto Android devices via malicious apps on Google’s official Android Play mobile app store. Last October, Zscaler disclosed finding as many as 200 such apps on Play — with a staggering 8 million installs worldwide — stealing financial and other sensitive data from infected devices. In other instances — as with Crocodilus — attackers have lured users to malware infected sites or to click on malware-triggering attachments and links to drop Android malware. Another tactic — especially among vendors of cheap Android devices — has been to preload malware on the phones before making them available in the market.
In response, Google has been constantly strengthening its Google Play Protect built-in Android security feature that scans apps for malware and harmful behavior and aiming to keep devices safe by detecting and blocking threats in real time. Last year, according to Google, its efforts helped prevent some 2.36 million malicious and other potentially harmful apps from being published on Google Play and resulted in some 158,000 developer accounts being banned.
Adapting and Evolving
Still, Crocodilus is the latest reminder of malware authors continuing to adapt and trying to find new ways to slip past Google’s defenses and infect Android devices. Over the months it has been active, the malware’s authors have added features to make Crocodilus harder to detect. These include code packing for both the dropper and the payload, added layers of encryption to obscure its behavior, and intentionally tangled, obfuscated code designed to frustrate reverse engineering efforts. Also recent, according to ThreatFabric, is the malware’s ability to modify the user’s contact list on infected devices by adding a phone number with a convincing sounding name, like “Bank Support,” the security vendor said.
Once installed, Crocodilus actively monitors for financial apps and overlays them with counterfeit login screens to harvest credentials. Crocodilus also now includes a seed phrase collector, using accessibility and pattern matching to extract wallet keys directly from a user’s screen. “As Crocodilus continues to evolve, organizations and users alike must stay vigilant and adopt proactive security measures to mitigate the risks posed by this increasingly sophisticated malware,” ThreatFabric said.
