‘Crocodilus’ is the new Android malware online that every smartphone and crypto user must know. In an in-depth article and analysis by Threat Fabric, the company shared that this new family of malware is targeting Android devices, with the ability to create fake and “convincing overlays” for some apps that alert users to back up their wallet keys in 12 hours, or risk losing access to the funds.
According to Threat Fabric, the Crocodilus relies on an ingenious social engineering trick that prompts the user to navigate their wallet’s seed phrase, allowing the malware to steal information through an accessibility logger.
What Is ‘Crocodilus’?
Mobile devices and apps have been the subject of different threats in recent years, particularly from the banking Trojan families such as Hook, Octo, and Anatsa. This group of malware targets mobile devices, and they’re equipped with advanced capabilities like keylogging, overlay attacks, and the ability to penetrate Android’s Accessibility Services.
The latest malware is the Crocodilus, which spreads through a proprietary dropper that bypasses Android 13 and other existing security systems, including Google’s Play Protect.
Once installed in an Android device, it asks for access to the Accessibility Service, a technology that assists users with disabilities. With access to the service, the malware can now simulate gestures, monitor screen content, and interact with applications.
The malware also comes with Remote Access Trojan features, allowing hackers to control screen actions like tapping and swiping. They can even take screenshots, including from Google Authenticator, to steal one-time passwords used for multi-factor authentication.
Threat Fabric disclosed that the malware runs continuously and displays fake overlays to steal customer information. Once the targeted app is opened, the fake overlays appear and disable the sounds, allowing the bad actors to compromise the data.
Other Information About The New Malware
According to the Threat Fabric report, the hackers can easily access the app and steal information using built-in remote access. The team initially found victims residing in Spain and Turkey, and they expect the effects of the malware to spread.
Based on their investigations, the malware’s developers can speak Turkish, based on the code notes. And they even speculated that a hacker named ‘Sybra’ or another hacker that’s testing a new software may be responsible for the Android malware.
Featured image from Pexels, chart from TradingView
