Android users watch out: a newly discovered piece of malware focuses on smartphone crypto portfolios.
Discovered by fraud prevention company Threatfabric, the “Crocodilus” mobile banking Trojan uses tools, including distance, black screen overlays and advanced data that mislead crypto holders to transfer their wallet seed features.
The malware “is disguised as crypto-related apps and includes specific techniques for social engineering to show victims the secrets stored in cryptocurrency wallet applications,” said Aleksandar Eremin, head of mobile threat intelligence at threatfabric, told Decrypt. He added that it points to the “specific importance of the actors behind it to direct users of cryptocurrency portfolios.”
It is crucial that this threat android users mislead to offer the seed sentence for their own cryptocurrency portion. It does this by giving a warning that asks users to back up their key to prevent access.
Threatfabric said that Crocodilus is being distributed by a patented dropper who bypasses security protection on Android 13 or later.
As soon as this dropper installs the malware, without activating Play Protect, he asks for accessibility service permissions. This enables it to circumvent the limitations of the accessibility service, so that it can implement a screen overlay to get passwords.
The malware shows users a fake warning message that reads: “Make a backup of your wallet key in the settings within 12 hours. Otherwise the app will be reset and you can lose access to your wallet.”
Crocodilus also works as an external access trojan (rat), which means that operators can navigate the user interface by the user interface, wipe with gesture control and even create screenshots. According to Threatfabric, this enables the malware operator to use Google Authenticator to access pass codes with two factor authentication.
The malware does all this discreetly by using a black screen overlay, so that the telephone owner cannot really see which actions are being performed remotely.
Who is Crocodilus targeting?
At the time of publishing, it seems that only users in Spain and Turkey have been hit by Crocodilus. The malware was first discovered aimed at people in Turkey and Spain, and uses error detection language that seems to be in Turkish.
How that initial dropper is downloaded is less clear, according to Threatfabric, so that it can spread well than these locations.
According to Threatfabric, users are misled to download the drops through malignant sites, social media, fake promotions, SMS messages and third-party app stores. Android users can alleviate the risk by using only the Google Play Store to download apps and not downloading APKs from other sites.
Eremin told Decrypt Despite the fact that it is a ‘newcomer in the landscape of the mobile threat’, Crocodilus ‘rich set of capacities’ could make it a competitor to establish malware-as-a-service on underground markets.
Published by Stacy Elliott.
Daily debrief Newsletter
Start every day with the top news stories at the moment, plus original functions, a podcast, videos and more.
