The new Android Trojan Crocodilus abuses accessibility for theft of banking and credentials credentials

29. Marta 2025Ravie LakshmanaanThreat Intelligence / Mobile Security

Researchers with cyber-ciberia have discovered new Android banking Malware Crocodilus This is primarily designed to target users in Spain and Turkey.

“Crocodilus enters the scene not as a simple clone, but as a completely test threat from the very beginning, equipped with modern techniques such as the remote control, covering the black screen and advanced data data via accessibility” said.

Code other Bank trojans Mildness is competition, it is designed to facilitate the download of the device (Dto) and finally carry out a false transaction. The analysis of the source code and error removal reveals that the author of the Malicial Software is Turkish speaking.

Crocodilus artifacts analyzed the Dutch mobile security company Maskuerade as Google Chrome (package name: “kuizzical.vashbovl.calamites”), which acts like a drop Bypass Android 13+ Restrictions.

Once installed and launched, the application requires an Android accessibility services, after which contact with remote server is established, a list of financial applications that will be targeted, and HTML covers are used for credentials.

Crocodilus is also capable of targeting the scribe crippouts, displays a login message, calling a warning message to support their seed phrases within 12 or inches to lose access to their wallets.

This social engineering trick is nothing but the matches of threatening actors who will run to their seed phrases, which are then harvested by the abuse of accessibility services, thus allowing them to receive full wallet control and discharge and discharges.

“It works continuously, tracking the application starts and displays covering to intercept credentials,” the threat file said. “Malware follows all accessibility events and records all the elements displayed on the screen.”

This allows malware to report all activities that victims perform victims on the screen, as well as running the capture of the Google Authenticator content screen.

Another characteristic of the crocodilus is its ability to cover up malicious actions on the device by displaying a black screen cover, as well as shutdown sounds, ensuring that victims remain unnoticed victims.

Some of the important features that support malicious software are listed below –

• Start a specific application
• Independent removal from the device
• Send the key
• Send SMS to everyone / Select Contacts
• Download Contacts lists
• Get a list of installed applications
• Get SMS messages
• Request the Privileges of the Admin
• Enable black covering
• Update the C2 server settings
• Enable / Disable Sound
• Enable / Disable Keilogging
• Default SMS Manager is made

“The occurrence of crocodilus mobile banking Trojan signifies significant escalation in sophistication and the level of threats set by modern malware,” said threat file.

“With its more advanced options for downloading devices, remote control functions and arranging the black overlap from its earliest iterations, the crocodilus shows the level of maturity unusual in newly discovered threats.”

Development comes as in force discovered PHISHING campaign details that has revealed to employing the settings for distribution Grandoreiro Banking Trojan Targeting Windows users in Mexico, Argentina and Spain through an overwhelming visual basic script.