A recent report by cybersecurity firm Threat Fabric has unveiled a new strain of mobile malware known as "Crocodilus," which poses a significant threat to Android users by employing fake overlays to obtain sensitive cryptocurrency seed phrases. This malware can take control of a user's device and potentially drain their crypto wallets entirely.
Threat Fabric analysts detailed in their March 28 report that Crocodilus deceives users through a screen overlay that urges them to back up their crypto wallet keys by a specified deadline. If the user provides their password, the overlay presents a dire warning: "Back up your wallet key in the settings within 12 hours.
Otherwise, the app will be reset, and you may lose access to your wallet." This social engineering tactic directs users towards their seed phrase wallet key, allowing the malware to capture the crucial information through its accessibility logger.
Once the seed phrase is obtained, attackers can seize full control of the wallet. Despite being newly discovered, Crocodilus showcases advanced features typical of modern banking malware, such as overlay attacks, sophisticated data harvesting via screen captures, and remote device control.
Threat Fabric notes that initial infection typically occurs when users inadvertently download the malware bundled with other software, which effectively circumvents Android 13 security protections.
Once installed, Crocodilus prompts users to enable accessibility services, which facilitates the hackers' access. After gaining access, the malware establishes a connection to a command-and-control server to receive instructions, including a list of target applications and their respective overlays.
Crocodilus runs continuously, monitoring app activity and deploying overlays to intercept user credentials. When a targeted banking or cryptocurrency app is opened, the fake overlay conceals legitimate activity, allowing hackers to take control and mute sound during their operation.
With stolen personal information and credentials, attackers can perform fraudulent transactions remotely without detection.
Threat Fabric's Mobile Threat Intelligence team identified that the malware currently targets users in Turkey and Spain, with expectations of wider dissemination in the future. The investigation suggests that the developers might speak Turkish, given code annotations, and could be a threat actor known as Sybra or another hacker experimenting with new software.
The emergence of the Crocodilus mobile banking Trojan highlights a substantial leap in the complexity and risk level of contemporary malware. Its capabilities for device takeover, remote control, and the application of black overlay attacks indicate a maturity level rarely seen in newly discovered threats, Threat Fabric concludes.