Threat Fabric’s Mobile Threat Intelligence (MTI) team has warned cryptocurrency users about a new variant of the Crocodilus mobile malware, now equipped with an automated seed phrase collector.
Malware Features Seed-Phrase-Collecting Parser
The Mobile Threat Intelligence (MTI) team at Threat Fabric has issued a warning to cryptocurrency users about a new variant of mobile malware, Crocodilus, which now includes an automated seed phrase collector. Originally identified in March, this malware is reportedly expanding its target list from European countries to include users in South America.
In its latest blog post, the MTI team stated that the new variant of Crocodilus specifically targets cryptocurrency wallet applications. What makes this variant particularly concerning is its additional parser, which helps extract seed phrases and private keys from specific wallets.
While still based on the accessibility logging feature present in earlier variants, the updated malware includes improved preprocessing of logged on-screen data. This enhancement allows for the extraction of data in a specific format using regular expressions before it is displayed.
“In our previous blog about Crocodilus, we highlighted the interest of cybercriminals in cryptocurrency wallets as they were making victims open the wallet apps to further steal the data displayed on the screen,” the team explained. “With additional parsing done on the device side, threat actors receive high-quality preprocessed data, ready to use in fraudulent operations like account takeover, targeting cryptocurrency assets of victims.”
Beyond the additional parser, the updated malware features a capability that allows cybercriminals to modify the contact list on an infected device. The MTI team suspects this feature enables attackers to add a phone number under a convincing name, such as “Bank Support.” This contact could then be used to call the victim while appearing legitimate, potentially bypassing fraud prevention measures that flag unknown numbers.
According to the MTI team, Crocodilus is actively conducting cyber campaigns in Turkey and Spain, targeting users of major banks and cryptocurrency platforms. In Turkey, it disguises itself as an online casino and spreads through malicious advertisements, overlaying fake login pages on financial applications.
In Spain, it is distributed as a fake browser update, aiming at nearly all Spanish banks. Smaller campaigns have also been detected with global targets, affecting applications in Argentina, Brazil, the U.S., Indonesia, and India, the team added.
#Binance #wendy #BTC $BTC $ETH $BNB
