The Crocodilus malware is employing social engineering tactics and accessibility features to steal cryptocurrency wallet credentials, primarily targeting Android users in Spain and Turkey.
New Threat Targeting Android Users
A newly identified malware named “Crocodilus” has been discovered targeting cryptocurrency wallets on Android devices. Uncovered by cybersecurity firm ThreatFabric, the banking trojan utilizes advanced social engineering tactics and accessibility logging to extract sensitive user data. The malware is distributed through malicious websites, social media, fake promotions, text messages, and third-party app stores, putting Android users at risk.
How Crocodilus Operates
Crocodilus disguises itself as a legitimate crypto-related application to deceive users. Once installed, it requests Accessibility Services permissions, which enable it to bypass security restrictions on Android 13 and later versions. With these permissions, the malware can remotely control infected devices, record keystrokes, and display fake overlays to steal user credentials.
After installation, Crocodilus connects to a command-and-control (C&C) server, receiving instructions on which applications to target. It continuously monitors user activity, capturing accessibility events to log text input and take screenshots. Notably, it can exploit Google Authenticator, allowing attackers to access two-factor authentication (2FA) codes.
Social Engineering Tactics
One of Crocodilus’ most dangerous features is its ability to manipulate users into revealing their cryptocurrency wallet seed phrases. It does this by displaying a deceptive warning message stating:
“Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset, and you may lose access to your wallet.”
This trick coerces victims into voluntarily entering their seed phrases, which are then captured by the malware and transmitted to the attackers.
Remote Access Capabilities
Crocodilus functions as a remote access trojan (RAT), allowing cybercriminals to interact with infected devices in real time. Operators can navigate the user interface, swipe using gesture controls, and take screenshots. A black screen overlay is used to obscure malicious activities, making it difficult for victims to detect unauthorized access.
Impact and Mitigation
Currently, Crocodilus has been reported affecting users in Spain and Turkey, with its debug language suggesting Turkish origins. To mitigate risks, cybersecurity experts are advising Android users to stick to Google Play Store for downloading any apps. Furthermore they have been warned not to install APK files from unverified sources and to refrain from clicking on suspicious links in messages or social media posts. Regularly updating device security settings and monitoring app permissions are also good practices to implement to stay protected against such malware. As malware threats continue to evolve, Android users must remain vigilant against deceptive tactics used to compromise their financial security.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
