Vicious Crocodilus Malware Has Evolved And It's Bad News For Android Users

crocodilus malware hero
Crocodilus, a relatively new banking trojan targeting Android devices, is continuing to evolve since it was first spotted back in March by the Mobile Threat Intelligence team at Threat Fabric. The improvements aim to make the malware harder to detect alongside adding new features. Additionally, the threat actors that are deploying this malware have started to expand to other parts of the globe.

If malware makers want their wares to remain viable, then it needs to be difficult to detect. The developers behind Crocodilus did just that with its latest variant. Its payload has received a bump to its XDR encryption, while extraneous code has been tossed in for good measure to make it more difficult to reverse engineer. Moreover, it now uses a technique called code packing, which uses compression as well as encryption to obfuscate its file signature.

crocodilus malware body1

However, the changes to the malware have gone beyond just making it harder to detect. It has some new features that make it more capable, too. One of the new features is the ability to make changes to the victim’s contacts, which the researchers believe is used by attackers to add an entry such as “Bank Support” to help with fooling victims into thinking it’s legitimate outreach from a bank. Its ability to scan for and find cryptocurrency seed phrases and private keys has also been enhanced with better parsers.

While Crocodius was first used to target victims in Turkey, its reach has now spread to several other countries. The threat researchers have found campaigns involving this malware across the globe, including countries in Europe, North America and South America. Although the campaigns outside of Turkey have been much smaller in scale. Threat actors have also been leveraging ads on Facebook to spread Crocodilus.

Malware these days often spreads through ad campaigns, directing victims to websites controlled by attackers. So users should avoid installing apps from unknown sources and stick to the Google Play Store, or risk having their bank accounts or cryptocurrency wallets emptied.