New Android banking malware called Crocodilus is targeting users in Spain and Turkey

- Cybersecurity researchers found a new Android banking malware called Crocodilus that mainly targets users in Spain and Turkey. According to ThreatFabric, Crocodilus is not just a simple clone; it is a serious threat with modern features like remote control, black screen overlays, and advanced data collection methods. - This malware, like other banking trojans, aims to take over devices and carry out fraudulent transactions. Analysis of its code indicates the author speaks Turkish. The malware pretends to be Google Chrome (with the package name "quizzical. washbowl. calamity"), allowing it to bypass restrictions on Android 13 and higher. - Once the app is installed, it asks for access to Android's accessibility services. It then connects to a remote server to get instructions, a list of financial apps to target, and HTML overlays for stealing login details. Crocodilus can also target cryptocurrency wallets, showing an alert that tricks victims into backing up their seed phrases, which are then collected through accessibility services. - The malware runs constantly, watching for app openings and displaying overlays to catch login info. It captures all screen activities and can even take screenshots of apps like Google Authenticator. Another important feature is its ability to hide its actions from users by using a black screen overlay and muting sounds. - Key features of Crocodilus include launching specific apps, removing itself from devices, sending SMS messages, retrieving contacts, updating server settings, enabling/disabling sound, and making itself the default SMS manager. ThreatFabric notes that the emergence of Crocodilus shows an alarming increase in sophistication for modern malware. Additionally, Forcepoint revealed a phishing campaign using tax-themed lures to spread the Grandoreiro banking trojan targeting Windows users in Mexico, Argentina, and Spain.