Cybersecurity experts have identified a new strain of mobile malware capable of creating deceptive overlays for specific applications, luring Android users into revealing their cryptocurrency seed phrases while taking control of their devices.
In a report released on March 28, analysts noted that this malware, dubbed Crocodilus, employs screen overlays that warn users to back up their cryptocurrency wallet key by a certain deadline, failing which they could lose access.
“When a target inputs their password in the application, the overlay presents a message: ‘Back up your wallet key in the settings within 12 hours. Otherwise, the app will reset, and you may lose access to your wallet,’” the analysts stated.
“This social engineering tactic prompts the victim to navigate to their seed phrase wallet key, allowing Crocodilus to capture the text using its accessibility logger.”
Once the malicious actors obtain the seed phrase, they can entirely take over the wallet and deplete its assets.
Despite being a relatively new malware, Crocodilus displays all the characteristics of contemporary banking malware, featuring overlay attacks, sophisticated data collection via screen captures of sensitive information like passwords, and remote access capabilities to control the compromised device.
The initial infection reportedly occurs when the malware is unintentionally downloaded through other software that can bypass Android 13 security measures. After installation, Crocodilus requests the activation of accessibility services, granting hackers access to the device.
“Upon permission approval, the malware connects to a command-and-control (C2) server to receive directives, including a list of targeted applications and the overlays to deploy,” the analysts explained.
It operates continuously, tracking app launches and presenting overlays to capture login credentials. When a targeted banking or cryptocurrency application is accessed, the counterfeit overlay appears on top and mutes audio, allowing hackers to gain control of the device.
“With the stolen personal information and credentials, malicious actors can gain full control of a victim’s device using built-in remote access, executing fraudulent transactions without detection,” they added.
The Mobile Threat Intelligence team has discovered that the malware mainly targets users in Turkey and Spain, although its usage scope is expected to expand over time.
They also suggest that the developers might be Turkish based on comments found in the code, speculating that an individual known as Sybra or another hacker experimenting with new software could be behind this malware.
“The rise of the Crocodilus mobile banking Trojan signifies a notable increase in the complexity and threat posed by modern malware.”
“With its advanced device takeover functionalities, remote control features, and the implementation of black overlay attacks from its earliest versions, Crocodilus exhibits a level of sophistication rarely seen in newly discovered threats.”