The zLabs team investigated the Crocodilus malware campaign, uncovering new Dropper Trojans and Banker samples that utilize advanced techniques for device takeover, including native code for payload execution. This malware is capable of executing banking fraud and credential harvesting while remaining stealthy. Affected: Android devices
Keypoints :
- Crocodilous is a sophisticated Android banking trojan.
- Investigation revealed 17 new Dropper Trojans and 21 new Banker samples.
- Found 6 new Command and Control (C&C) servers.
- Uncovered a native code variant that uses obfuscation techniques.
- Malware gains device control through overlay attacks, keylogging, and remote access.
- Utilizes Accessibility Service permissions to capture user credentials.
- Can operate in stealth mode by using deceptive overlays and muting sounds.
- Crocodilous captures One-Time Passwords (OTPs) through logged accessibility events.
- Native libraries allow the malware to execute encrypted DEX files.
- Discovery indicates evolution in malware development regarding obfuscation and stealth.
MITRE Techniques :
- TA0001: Initial Access – Uses Dropper Trojans to gain access to devices.
- TA0002: Execution – Leverages native code to decrypt and execute malicious payloads.
- TA0004: Privilege Escalation – Achieves higher permissions through Accessibility Service abuse.
- TA0006: Credential Access – Harvests credentials using keylogging and OTP harvesting techniques.
- TA0040: Impact – Engages in banking fraud and user credential theft, leading to financial loss.
Indicator of Compromise :
- [Domain] examples of C&C servers found in the investigation.
- [Filename] hidden file with .png extension that contains encrypted data.
- [String] “Pragma Project” identified in the native code as a potential internal marker.
Full Story: https://zimperium.com/blog/pragmatic-crocodilus-a-new-variant-in-the-horizon