A newly discovered Android Trojan named Crocodilus has been found targeting users primarily in Spain and Turkey. The malware operates by gaining access to Android’s Accessibility Services, which are typically reserved for aiding people with disabilities. Once installed, Crocodilus can monitor app launches, track activities, and trigger overlays to intercept sensitive data, such as banking and cryptocurrency credentials. The malware uses a dropper to bypass Android’s security restrictions and evade detection by Play Protect.
Crocodilus is designed to facilitate device takeover and steal valuable credentials by monitoring all accessibility events. It can show fake overlays that simulate login screens to capture banking and crypto wallet details. For cryptocurrency wallets, it uses a social engineering tactic, tricking users into revealing their seed phrases through a warning to back up their keys. This allows attackers to seize full control over the wallets, draining their contents.
The malware operates with advanced features that enable remote control of infected devices.
It can perform actions such as sending SMS messages, launching specific applications, and taking screenshots, including capturing Google Authenticator codes for two-factor authentication. Additionally, it can display a black screen overlay and mute sounds to conceal malicious activities from the victim.
These tactics ensure that the malware’s actions remain unnoticed while performing fraud.
Although Crocodilus is currently targeting users in Spain and Turkey, it could soon expand to other regions. The malware’s evolving capabilities pose a significant threat to Android users, especially those who download APK files from third-party sources. Researchers urge users to avoid such downloads and ensure Play Protect is active on their devices to prevent infection.