Analysis Summary

Crocodilus is a newly discovered Android banking malware that tricks users into revealing their cryptocurrency wallet seed phrases through social engineering. It presents a fake warning urging users to back up their wallet key within 12 hours, allowing the malware to harvest the seed phrase via an Accessibility Logger. This enables attackers to take full control of the wallet and drain funds.

Researchers reported that Crocodilus is distributed via a proprietary dropper that bypasses Android 13+ security protections, avoiding detection by Play Protect and Accessibility Service restrictions. It primarily targets users in Turkey and Spain, with signs of Turkish origin. The initial infection method is unclear but likely involves malicious websites, fake promotions, and third-party app stores.

Once installed, the malware exploits the Accessibility Service to monitor app activity and display fake overlays on banking and cryptocurrency apps to steal login credentials. It features a bot component with 23 commands, including enabling call forwarding, sending mass SMS, requesting Device Admin privileges, and locking the screen.

Crocodilus also functions as a remote access trojan (RAT), allowing operators to control the device, perform navigation gestures, capture Google Authenticator codes, and activate a black screen overlay to conceal malicious activities.

Though currently targeting Spain and Turkey, the malware may expand to other regions. To stay protected, Android users should avoid downloading APKs from untrusted sources and ensure Play Protect is always enabled.

Impact

• Financial Loss
• Credential Theft

Indicators of Compromise

Domain Name

• register-buzzy.store

MD5

• e80c4ffa4acd192981d142c435c52c49

SHA-256

• c5e3edafdfda1ca0f0554802bbe32a8b09e8cc48161ed275b8fec6d74208171f

SHA-1

• 009fd7faf9dc52fd96bbfde826bbb4058409b8b8

Remediation

• Avoid downloading APKs from untrusted sources, including third-party app stores.
• Keep Play Protect enabled to detect and block suspicious apps.
• Regularly update Android OS and security patches to mitigate vulnerabilities.
• Disable Accessibility Services for apps that don’t require it.
• Be cautious of urgent warnings in cryptocurrency and banking apps.
• Use strong, unique passwords and enable multi-factor authentication (MFA).
• Monitor account activity and set up alerts for unauthorized transactions.
• Install a reputable mobile security app for additional protection.
• Avoid clicking on suspicious links from SMS, emails, or social media.
• Factory reset the device if infected and restore from a clean backup.