Cybersecurity firm Threat Fabric has reported a dangerous new malware called Crocodilus. This malware uses sophisticated social engineering tactics to steal cryptocurrency wallet keys and sensitive credentials from Android devices.
Crocodilus uses a combination of overlay attacks, remote device control, and access to accessibility features to bypass security measures and drain victims’ crypto wallets.
The malware, which mainly affects users in Spain and Turkey, bypasses Android 13’s security protections and easily avoids Google’s Play Malware Protection system.
How Crocodilus Tricks Users Into Handing Over Their Keys
A sophisticated proprietary dropper spreads Crocodilus. Immediately after installation, the malware requests access to the Accessibility Service, seeking control of a feature that lets it monitor screens, log keystrokes, and simulate gestures on the screen.
Once Crocodilus gains access, it compiles a list of key banking and crypto apps to compromise and prepares the appropriate overlay displays. When a targeted app launches, Crocodilus displays a convincing overlay message that warns users to back up their wallet seed phrase within 12 hours or risk losing access to their accounts.
Moreover, unaware of the manipulation, victims divulge their wallet’s recovery phrase, which Crocodilus logs using an Accessibility Logger. Attackers then use the key phrase to drain the victim’s wallet of all funds.
The malware’s effectiveness lies in its bot component, which can deploy 23 remote commands. These commands include redirecting calls and SMS messages to intercept 2FA codes, locking the screen, and/or displaying a blank dark overlay while muting the device to hide malicious activity. The malware can also take screenshots of Google Authenticator to bypass multi-factor authentication and remotely control the device using swipe gestures and screen taps.
Why Crocodilus Is a Major Threat to Cybersecurity
Crocodilus displays incredible sophistication and alarming dynamism for relatively new malware. Its ability to evade Android’s latest Google Play Protect security updates, remotely access devices, and manipulate users seriously concerns cybersecurity.
Notably, with different emerging risks in the crypto space, users must protect their assets by taking precautionary measures. Always download apps, especially finance apps, from trusted sources like Google Play or Apple’s App Store.
