ThreatFabric researchers have identified a new virus attacking Android smartphones. Dubbed Crocodilus, the malware is designed to steal money from its victims, whether from their bank accounts or on the blockchain.
First and foremost, Crocodilus is banking malware. Mirroring viruses like Anatsa, Octo, and Hook, it is designed to steal banking information from its targets. Once the information is obtained, hackers can penetrate the victim's bank account to make fraudulent withdrawals.
Crocodilus' modus operandi for siphoning off your money
To achieve its goals, the virus will superimpose a window imitating the bank's interface on top of the official application. Convinced that they are browsing their bank's application, the user will provide their credentials, without doubting that they are diving headfirst into the hackers' trap. Crocodilus "runs continuously, monitoring application launches and displaying overlays to intercept credentials." It is also capable of recording everything the victim types.
Similarly, the malware tricks users into obtaining the private keys to its cryptocurrency wallets. With these, the hacker is free to take control of a wallet and transfer all digital assets to their own wallet.
As ThreatFabric explains, the virus relies on social engineering tactics to convince the target to share their valuable private keys. Here again, Crocodilus uses a fake window to fool the crypto holder. The window will ask users to "save their key" wallet in the settings within 12 hours", at the risk of losing access to their funds as part of a reset. In an emergency, the target will save their keys, giving cybercriminals plenty of time to seize them with the virus.
Two-factor authentication in danger
Particularly comprehensive, the virus has around twenty other malicious commands. According to researchers, Crocodilus can also send text messages to all of its target's contacts, intercept calls, mute the sound, lock the screen, or launch a specific application from among the apps installed on the phone. Finally, it is able to take screenshots of the Google Authenticator application, which allows it to get its hands on the security codes for multi-factor authentication.
To penetrate its targets' smartphones, Crocodilus spreads through applications shared on the web. It is this fraudulent application, available in the form of an APK, which will act as a dropper. In short, the application is solely designed to install the virus by bypassing Android's security mechanisms. For now, the virus is primarily targeting customers of Spanish and Turkish banks, and cryptocurrency investors residing in those two countries.
Source: Threat Fabric
0 Comments