Following ThreatFabric’s publication on Crocodilus, a classy Android banking trojan, our zLabs crew performed a deeper investigation into its broader ecosystem. The analysis led to the invention of 17 beforehand unreported Dropper Trojans and 21 new Banker samples matching the behaviors described within the authentic report. Past that, 6 new C&C servers have been discovered and, maybe most significantly, found a beforehand undocumented variant of the malware that employs native code for payload loading and execution.
Background: The Crocodilus Malware
This malware is designed for machine takeover, enabling attackers to carry out fraudulent actions with out the person’s data.
The Key options of the malware are:
- Superior Gadget Takeover: Crocodilus employs methods reminiscent of overlay assaults, keylogging, and distant entry to realize management over contaminated units.
- Accessibility Abuse: Upon set up, it requests Accessibility Service permissions, permitting it to watch app launches and show misleading overlays to seize person credentials.
- Stealth Operations: The malware can function in a “hidden” mode by displaying a black display screen overlay and muting machine sounds, guaranteeing its actions stay undetected.
- OTP Harvesting: It could seize One-Time Passwords (OTPs) by logging accessibility occasions, together with these from apps like Google Authenticator.
The unique Crocodilus marketing campaign depends on Accessibility Providers and dynamic overlays to hijack person enter and work together with banking apps invisibly. This basis matches what we noticed within the Banker samples extracted from newly discovered droppers. These samples function in the identical means: the dropper installs the hidden payload APK at runtime and escalates privileges by way of Accessibility abuse. The malware then executes banking fraud and credential harvesting utilizing overlays and keylogging, all in keeping with the recognized behaviors of Crocodilus.
Discovery of a Native Code Variant: Pragma
Whereas analyzing the Banker APKs, 4 attracted consideration for his or her use of native libraries, a transparent deviation from the remainder of the payloads and from the earlier marketing campaign. Every of those 4 samples features a custom-written native library that masses a file from the property folder. This file is hidden with a .png extension however is in reality encrypted knowledge. At runtime, the native code decrypts this file and masses the ensuing DEX into reminiscence to execute malicious routines.
In the course of the evaluation the encrypted key (AES) has been discovered embedded within the native libraries. These keys differ throughout samples, suggesting that the risk actor could also be producing distinctive builds for various campaigns or distribution vectors. Inside the native code, a repeated string has been discovered, Pragma Mission, which could point out an inside codename or just a label for this variant household. Regardless, the usage of native code to decrypt and dynamically load DEX recordsdata marks a major evolution in obfuscation and stealth.
The IOCs for this marketing campaign could be present in this repository.