🛃 Cybersecurity researchers at Threat Fabric have discovered a new family of mobile malware that can trick Android users into revealing their cryptocurrency wallet seed phrases.
📃 According to a report from March 28, the Crocodilus malware uses fake screens on top of legitimate apps and displays a warning about the need to back up your crypto wallet key within a certain period of time.
🗣️ “After the victim enters the app password, a message appears on the screen: ‘Back up your wallet key in Settings within 12 hours. Otherwise, the app will be reset and you may lose access to your wallet,’” Threat Fabric explains.
🧙This social engineering trick directs the user to the seed phrase section, which allows Crocodilus to collect this information via Android’s accessibility logger. Once the attackers obtain the seed phrase, they gain full control over the wallet and can “empty it completely.”
🐊 Crocodilus is a new malware that, according to experts, has all the features of modern hacking software, including attacks using screen overlays, advanced data collection through screen capture with sensitive information (such as passwords), and remote access to gain control over the infected device.
⚙️ The initial infection occurs when the malware is unintentionally downloaded as part of other software that bypasses Android 13 protection and other security mechanisms.
🛡️Once installed 🐊 Crocodilus requests that the accessibility service be enabled, which allows the hackers to access the device.
“Once these rights are granted, the malware connects to the command and control (C2) server to receive instructions, including a list of target applications and screen overlays,” Threat Fabric notes.
🔐 The malware runs continuously, monitoring application launches and displaying overlays to intercept credentials. When the targeted banking or cryptocurrency app is opened, a fake screen is launched on top of it, and the hackers take control of the device.
“With stolen personal data and credentials, attackers can take full control of the victim’s device using built-in remote access and secretly make fraudulent transactions,” the experts warn.