Crocodilus Malware Steals Crypto Wallet Keys

Android users have long been the target of sophisticated banking trojan malware families. Some of the most prevalent threats, which have seen constant development and evolution, are Anatsa, Hook, and Octo. In a recent report by Threat Fabric, a new malware strain, Crocodilus, can be added to that list.

All the malware mentioned above has shown how effective it can be when stealing funds and sensitive data, especially when abusing overlays and Android's accessibility features.

Threat Fabric researchers determined that Crocodilus is not a clone but a fully-fledged threat from the outset, equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging, as seen in more established Android-based banking trojans.

Crocodilus was discovered during threat-hunting operations conducted by Threat Fabric, who named the malware Crocodilus based on the use of "crocodile" by the malware's developer.

Researchers went on to state,

The Modus Operandi of Crocodilus is similar to what we expect from a modern Device Takeover banking Trojan. Initial installation is done via a proprietary dropper bypassing Android 13+ restrictions. Once installed, Crocodilus requests Accessibility Service to be enabled...Once granted, the malware connects to the command-and-control (C2) server to receive instructions, including the list of target applications and the overlays to be used. It runs continuously, monitoring app launches and displaying overlays to intercept credentials.

Initial campaigns discovered by researchers showed that threat actors initially targeted Android users in Turkey and Spain. Further, several cryptocurrency wallets are targeted by malware, which steals wallet keys and siphons off cryptocurrency stored in those wallets.

It should be noted that overlays targeting cryptocurrency wallets use social engineering to get the victim to do the work. Once a victim provides a password/PIN from the application, the overlay will display a message, "Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset, and you may lose access to your wallet."

This trick allows the threat actor to prompt the victim to enter their wallet seed phrase, allowing Crocodilus to harvest the text using its Accessibility Logger. With this information, attackers can seize full control of the wallet and drain it completely.

Researchers discovered that the first samples of Crocodilus contain the tag "sybupdate," which could be linked to a known threat actor in the mobile threat landscape, known as "sybra," that we already observed operating one of the Ermac's forks, called "MetaDroid," as well as using Hook and Octo mobile malware.

This certainly does not prove a link between Crocodilus and "sybra" and is tenuous evidence at best. Still, it is possible the developer of Crocodilus, as they are affiliated with "sybra," is testing a potential new product entering the malware market of mobile banking Trojans.

Crocodilus Feature Set

In summary, Crocodilus is capable of carrying out the following functions via a specific set of 32 commands:

• Enable call forwarding
• Launch a specific application
• Post a push notification
• Send SMS to all contacts or a specified number
• Get SMS messages
• Request Device Admin privileges
• Enable a black overlay
• Enable/disable sound
• Lock screen
• Make itself the default SMS manager

Diving deeper into specific features, the malware boosts a keylogger. However, researchers argue it is more correct to consider it an "Accessibility Logger." The malware monitors all the infected device's Accessibility events and captures all the elements displayed on the screen. This way, it effectively logs all text changes a victim performs, making it a keylogger, but the capabilities go beyond just key logging.

How Crocodilus conducts screen captures is of particular interest. Researchers stated,

RAT command "TG32XAZADG" triggers a screen capture on the content of the Google Authenticator application, and this too is done using the aforementioned Accessibility Logging capabilities. Crocodilus will enumerate all the elements displayed on the screen in Google Authenticator app, capture the text displayed (the name of the OTP code, as well as its value) and send these to the C2, allowing timely theft of OTP codes for the operators of Crocodilus.

These stolen credentials allow the threat actor to take full control of a victim's device using built-in remote access, completing fraudulent transactions without detection. Crocodilus can also make any remote access "hidden" to further the goal of allowing complete device takeover.

This is done by displaying a black screen overlay on top of all the activities, effectively hiding the actions performed by the malware. Further, as part of this "hidden" activity, the malware also mutes the sound on the infected device to ensure fraudulent activities remain unnoticed by the victim.

In concluding, Threat Fabric noted,

The emergence of the Crocodilus mobile banking Trojan marks a significant escalation in the sophistication and threat level posed by modern malware. With its advanced Device-Takeover capabilities, remote control features, and the deployment of black overlay attacks from its earliest iterations, Crocodilus demonstrates a level of maturity uncommon in newly discovered threats...Already observed targeting banks in Spain and Turkey and popular cryptocurrency wallets, Crocodilus is clearly engineered to go after high-value assets.