Android users beware: A newly discovered piece of malware is targeting smartphone crypto wallets.
Uncovered by fraud prevention firm ThreatFabric, the “Crocodilus” mobile banking trojan employs tools including remote control, black screen overlays, and advanced data harvesting through accessibility logging to trick crypto holders into handing over their wallet seed phrase.
The malware “is masquerading as crypto-related apps and involves specific social engineering techniques to make victims reveal the secrets stored inside cryptocurrency wallet applications,” Aleksandar Eremin, head of mobile threat intelligence at ThreatFabric, told Decrypt. He added that it’s pointing to the “specific interest of the actors behind it in targeting users of cryptocurrency wallets.”
Crucially, this threat tricks Android users into providing the seed phrase for their own cryptocurrency wallet. It does this by issuing a warning that asks users to back up their key to avoid losing access.
ThreatFabric said Crocodilus is being distributed through a proprietary dropper that bypasses security protections on Android 13 or later.
Once this dropper installs the malware, without triggering Play Protect, it requests Accessibility Service permissions. That allows it to bypass the Accessibility Service restrictions, enabling it to deploy a screen overlay to gain passwords.
The malware shows users a fake warning message that reads: “Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset, and you may lose access to your wallet.”
Crocodilus also works as a remote access trojan (RAT), meaning operators can navigate the user interface, swipe using gesture control and even take screenshots. According to ThreatFabric, this allows the malware operator to use Google Authenticator to access two-factor authentication passcodes.
The malware does all this discreetly by using a black screen overlay, so the phone owner can’t actually see what actions are being carried out remotely.
Who is Crocodilus targeting?
At time of publishing it appears that only users in Spain and Turkey have been affected by Crocodilus. The malware was first discovered targeting people in Turkey and Spain, and uses debug language that appears to be in Turkish.
How that initial dropper is downloaded is less clear, according to ThreatFabric, so it could well spread beyond these locations.
According to ThreatFabric, users are tricked into downloading the droppers through malicious sites, social media, fake promotions, text messages and third-party app stores. Android users can mitigate against the risk by only using the Google Play Store to download apps, and not downloading APKs from other sites.
Eremin told Decrypt that despite being a “newcomer to the mobile threat landscape,” Crocodilus’ “rich set of capabilities” could make it a competitor to established malware-as-a-service on underground markets.
Edited by Stacy Elliott.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
