TL;DR
- Crocodilus is an Android malware that steals crypto wallet credentials through social engineering and advanced techniques.
- It uses a customized dropper to bypass restrictions and gains system control with accessibility permissions.
- It can intercept keys, bypass 2FA, and trick users into revealing their seed phrase, allowing the theft of funds.
A new malware targeting Android devices has been identified by cybersecurity researchers. Named Crocodilus, this malicious software targets cryptocurrency wallet users using social engineering tactics and advanced intrusion techniques.
Its distribution method employs a customized dropper that bypasses Android 13+ restrictions, allowing it to install without the victim’s knowledge. Once on the device, it requests access to the Accessibility Service, granting control over various system functions.
Crocodilus: How It Works
The malware can execute overlay attacks to intercept credentials, log keystrokes, and activate hidden remote access. It also connects to a command-and-control server, where it receives real-time instructions to deploy its attacks. Although initially detected in Spain and Turkey, experts warn that its reach could expand to other regions as its development evolves.
In addition to intercepting banking credentials, Crocodilus can bypass two-factor authentication by capturing screenshots of the Google Authenticator app. This method allows attackers to access protected accounts without directly compromising the victim’s device.
However, what makes it particularly dangerous is its strategy for obtaining seed phrases from crypto wallets. Instead of extracting them directly, it deceives users with an alert message urging them to manually back up their keys within 12 hours. If the victim follows the instruction, the malware records the content using its accessibility logging system and sends it to the attackers.
Precautions Against the Spread of Advanced Malware
Once the malware operators obtain the seed phrase, they can restore the wallet on another device and drain the funds without leaving any trace. This approach avoids detection by traditional security systems and allows the attacks to be carried out without raising immediate suspicion.
The discovery of Crocodilus demonstrates the growing sophistication of threats targeting the crypto sector and the need for more robust protective measures. Keeping software up-to-date, verifying the legitimacy of installed applications, and avoiding sharing sensitive information in insecure environments remain essential to reducing the risk of such attacks.