Android users, beware! A new piece of malware has been discovered that targets smartphone crypto wallets.
The fraud prevention company ThreatFabric discovered the mobile banking trojan “Crocodilus”. It used tools like remote control and black screen overlays as well as advanced data collection through accessibility logging in order to trick cryptocurrency holders into giving up their wallet seed phrases.
Aleksandar Eremin of ThreatFabric’s mobile threat intelligence said the malware is “misleadingly disguised as crypto-related app and utilizes specific social engineering tactics to force victims into revealing secrets contained within cryptocurrency wallet applications.” Decrypt. He said that the attack is a “clear indication” of the “specific interests of those behind the attacks in targeting cryptocurrency wallet users.”
The threat tricked Android users into entering the seed phrase to their cryptocurrency wallet. The threat does this by asking users to backup their keys to avoid losing them.
ThreatFabric reported that Crocodilus was distributed using a dropper which bypassed security features on Android versions 13 and later.
It will then request Accessibility Service permissions, once the dropper has installed malware. That allows it to bypass the Accessibility Service restrictions, enabling it to deploy a screen overlay to gain passwords.
Malware displays a false warning that says: “Backup your wallet key within 12 hours in settings.” If you don’t, your app may be reset and you could lose access to the wallet.
Crocodilus can also be used as a Remote Access Trojan (RAT), which allows the malware operator to navigate through an interface using gestures, and take screenshots. According to ThreatFabric this malware allows an operator to utilize Google Authenticator in order to obtain two-factor passwords.
The malware does all this discreetly by using a black screen overlay, so the phone owner can't actually see what actions are being carried out remotely.
Crocodilus is a predator.
Crocodilus seems to affect only Spanish and Turkish users at this time. First discovered in Turkey, Crocodilus targets users from Spain and Turkey. The debug language appears to be Turkish.
ThreatFabric says it’s not entirely clear how this initial dropper gets downloaded, but that the virus could easily spread to other locations.
ThreatFabric claims that droppers are downloaded by users through malignant sites, social networks, fake advertisements, SMS messages, third-party stores, etc. Android users should only download APKs through the Google Play Store and avoid downloading apps from any other site.
Eremin is a word Decrypt Crocodilus, a newcomer in the mobile threat environment, could be a serious competitor for established malware as a service on underground marketplaces due to its “rich capabilities.”
Stacy Elliott is the editor.
