In this news:
Hacker security cyber attack smartphone. Digital mobile phone isolated on black.
A newly discovered Android malware called Crocodilus is raising concerns about its ability to steal sensitive cryptocurrency wallet credentials through social engineering. Although recently observed targeting users in Spain and Turkey, the malware’s advanced capabilities suggest a broader rollout could follow.
Crocodilus is distributed through a proprietary dropper that bypasses Android 13 and later security protections, evading detection from Google’s Play Protect system.
Once installed, it requests access to the Accessibility Service, a feature intended to assist users with disabilities, but which also allows malware to monitor screen content, simulate gestures, and interact with apps.
What sets Crocodilus apart is its use of a convincing overlay screen that warns users to back up their wallet key within 12 hours or risk losing access. This prompt is designed to guide victims into navigating to their crypto wallet’s seed phrase, which the malware logs using an Accessibility Logger. With access to the seed phrase, attackers can seize full control of the wallet.
Beyond seed phrase theft, Crocodilus can also load fake overlays on top of banking or crypto apps to intercept credentials. The malware’s bot component supports 23 commands, allowing it to:
Enable call forwarding
Read and send SMS messages
Post push notifications
Launch applications
Lock the screen
Gain device admin privileges
Set itself as the default SMS manager
Mute or enable sound
Activate a black overlay
It also includes Remote Access Trojan features, enabling attackers to perform screen taps, swipe gestures, and take screenshots—specifically including Google Authenticator, allowing them to capture one-time passwords used for multi-factor authentication.
.png)
