• A newly identified Android malware, Crocodilus, employs social engineering and advanced evasion tactics to steal cryptocurrency wallet credentials.
  • Crocodilus uses an overlay screen to trick users into revealing seed phrases while also manipulating device functions through accessibility permissions.

A newly identified Android malware, dubbed Crocodilus, is raising alarms among cybersecurity experts due to its sophisticated methods for stealing sensitive cryptocurrency wallet credentials through social engineering tactics.

Initially reported in Spain and Turkey, the malware's advanced capabilities suggest a potential for widespread attacks across various regions.

Crocodilus is distributed via a proprietary dropper that effectively bypasses the security protections of Android 13 and later versions, allowing it to evade detection by Google’s Play Protect system.

Once installed on a device, Crocodilus requests access to the Accessibility Service, a feature designed to assist users with disabilities.

However, this access allows the malware to monitor screen content, simulate user gestures, and interact with applications covertly. This manipulation is particularly dangerous as it enables the malware to execute commands without the user's knowledge.

Now, what sets Crocodilus apart from other malware is its use of a highly convincing overlay screen that warns users to back up their wallet key within 12 hours or risk losing access.

This prompt is designed to lead victims directly to their crypto wallet’s seed phrase, which the malware logs using an Accessibility Logger. With this information, attackers can gain full control over the victim’s cryptocurrency wallet.

In addition to targeting seed phrases, Crocodilus can also load fake overlays on banking or cryptocurrency applications to intercept user credentials.

The malware's bot component supports an array of 23 commands, including:

  • Enabling call forwarding
  • Reading and sending SMS messages
  • Posting push notifications
  • Launching applications
  • Locking the screen
  • Gaining device admin privileges
  • Setting itself as the default SMS manager
  • Muting or enabling sound
  • Activating a black overlay

These features enable attackers not only to steal sensitive information but also to manipulate devices in ways that can remain undetected by users.

Furthermore, while executing these operations, Crocodilus can activate a black screen overlay and mute the device, creating an illusion that it is locked or inactive. This method of concealment poses significant risks as it allows malicious activities to occur without arousing suspicion.

The emergence of Crocodilus is reminiscent of previous sophisticated Android malware attacks:

  • Anatsa and Octo: These banking Trojans evolved to include overlay attacks and device takeover capabilities similar to those exhibited by Crocodilus.
  • CheeryBlos and FakeTrade: These malware families utilized overlay attacks and clipboard hijacking techniques to steal cryptocurrency credentials from unsuspecting users.
  • SparkCat: Discovered in malicious app-making kits for Android and iOS, SparkCat employed Optical Character Recognition (OCR) technology to extract crypto wallet recovery phrases from images stored on devices.

The emergence of Crocodilus highlights an alarming trend in mobile malware targeting financial assets. As cybercriminals continue to refine their techniques, users must remain vigilant. Experts recommend avoiding downloads from third-party app stores, regularly updating devices, and being cautious with accessibility permissions.

Edited by Harshajit Sarmah