Our mobile phones, for several factors, have become the main recipients and victims of cyber attacks. Its almost permanent connection, its ease to connect to open wifis, the amount of external applications (and not always safe) that it contains and the ability to open files from different sources, constitute all points in favor of cybercriminals. And the most recent threat is Crocodilus.
Discovered by the cybersecurity company Thread Equipped with modern techniques such as remote control, black screen overlays and advanced data collection through accessibility registration.
“During the usual threat search operations, Our intelligence analysts found samples never seen before”, Explains a Threatfabric blog. The analysis revealed a family of completely new malware, which Crocodilus baptized“ based on the references left by the developers, who call it Crocodile ”.
Despite being new, it already includes all the necessary characteristics of modern bank malware: Superposition attacks, record pulsations, remote access and hidden remote control functions.
He modus operandi Crocodilus is similar to what We would expect from a modern banking trojan of device theft. The initial installation is carried out by means of a dropper (a malware that is characterized by containing a file that can be opened, such as .doc or .exe) that avoids the restrictions of Android 13 or higher.
Once installed, Crocodilus requests the authorization of the accessibility service, is cOnecta to the command and control server and begins to receive instructions, including the target applications list. It runs continuously, monitoring the start of applications and is capable of intercepting credentials.
“The initial campaigns observed by our mobile threat intelligence team – explain the experts – They show objectives mainly in Spain and Türkiyetogether with several cryptocurrency wallets. We foresee that this scope will be expanded globally as malware evolves. ”
To this we must add that Crocodilus monitors all accessibility events and captures all the elements shown on the screen. In this way, it effectively records all text changes made by the victim, What makes it a keylogger, but its capabilities go beyond simple Keylogger.
You can also activate the screen capture option of the Google Authenticator application, and this is also done through the accessibility registration capacities mentioned above. Crocodilus lists all the elements shown on the Google Authenticator application, captures the text shown (the name of the OTP code and its value), which allows the theft of OTP codes for Crocodilus operators. Basically? See all the changes of keys and authentications on the mobile. And sends changes to cybercriminals.
With identifiable personal information (PII) and stolen credentials, Cybercriminals can take total control of the victim’s device through integrated remote access and complete fraudulent transactions without being detected.
There is a remarkable detail that makes crocodilus very … “Creative”: once the victim provides a password or pin from the applicationthe overlap will show the message “Make a backup of the key to your wallet in the configuration within 12 hours. Otherwise, the application will restart and could lose access to your wallet.”
This social engineering trick guides the victim to navigate to her seed phrase (wallet key), which allows crocodilus to collect the text using its accessibility registrar. With this information, the attackers can take total control of the wallet and empty it completely.
“The appearance ofCrocodilus marks a significant advance in sophistication and the level of threat represented by modern malware -concludes the report -. With its advanced device theft capabilities, remote control functions and the deployment of black overlap attacks from its first iterations, Crocodilus demonstrates a rare maturity level in newly discovered threats”
Preventions? Do not connect automatic to public Wi -Fi networks, do not download artchivos from unknown sources (and less open them) and confirm that some contact has sent us a document.