Crocodilus Android Trojan
Crocodilus operates as a banking Trojan but distinguishes itself with fully developed remote control capabilities. The malware is distributed through a proprietary dropper that bypasses security restrictions introduced in Android 13 and later. It evades Google Play Protect and exploits Accessibility Service permissions to gain extensive control over infected devices.
Once installed, Crocodilus monitors app activity, particularly cryptocurrency wallets and banking apps. It overlays fake warning messages that urge users to back up their wallet seed phrases within 12 hours or risk losing access. Victims, unaware of the deception, follow the instructions, inadvertently exposing their private keys. With this information, attackers can take full control of the wallet and drain funds.
The malware comes equipped with a range of functionalities, making it a formidable threat:
- Overlay Attacks: Crocodilus intercepts login credentials by placing fraudulent overlays on legitimate banking and cryptocurrency applications.
- Accessibility Logger: It captures on-screen text, effectively functioning as a keylogger.
- Remote Access Trojan (RAT): Attackers can perform navigation gestures, simulate user interactions, and steal one-time passwords (OTPs) from authentication apps like Google Authenticator.
- Device Takeover: The malware can mute the device and apply a black screen overlay to conceal malicious activity.
- SMS Manipulation: It can send messages, read texts, and set itself as the default SMS manager to intercept authentication codes.
- Call Forwarding & Locking: The malware can enable call forwarding and even lock the device remotely.
Crocodilus Android Trojan Signatures
Family: HEUR:Trojan-Banker.AndroidOS.Agent.eq MD5: e80c4ffa4acd192981d142c435c52c49 SHA256: c5e3edafdfda1ca0f0554802bbe32a8b09e8cc48161ed275b8fec6d74208171f
Crocodilus Android Trojan Download
Click to Load Comments
