Android malware ‘Crocodilus’ can take over phones to steal crypto
2025-03-31 19:04:28 Primitive Reading

 

Cybersecurity firm Threat Fabric says it has found a new family of mobile-device malware that can launch a fake overlay for certain apps to trick Android users into providing their crypto seed phrases as it takes over the device.

Threat Fabric analysts said in a March 28 report that the Crocodilus malware uses a screen overlay warning users to back up their crypto wallet key by a specific deadline or risk losing access.

“Once a victim provides a password from the application, the overlay will display a message: Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset, and you may lose access to your wallet,” Threat Fabric said. 

“This social engineering trick guides the victim to navigate to their seed phrase wallet key, allowing Crocodilus to harvest the text using its accessibility logger.” 

Once the threat actors have the seed phrase, they can seize complete control of the wallet and “drain it completely.” 

Threat Fabric says despite it being a new malware, Crocodilus has all the features of modern banking malware, with overlay attacks, advanced data harvesting through screen capture of sensitive information such as passwords and remote access to take control of the infected device. 

Initial infection occurs by inadvertently downloading the malware in other software that bypasses Android 13 and security protections, according to Threat Fabric. 

Once installed, Crocodilus requests accessibility service to be enabled, which enables the hackers to gain access to the device. 

“Once granted, the malware connects to the command-and-control (C2) server to receive instructions, including the list of target applications and the overlays to be used,” Threat Fabric said. 

It runs continuously, monitoring app launches and displaying overlays to intercept credentials. When a targeted banking or cryptocurrency app is opened, the fake overlay launches over the top and mutes the sound while the hackers take control of the device.  

Disclaimer: This specification is preliminary and is subject to change at any time without notice. Amazon Finance assumes no responsibility for any errors contained herein.

Amazon Finance
Voices from the Amazon rainforest
Recommended reading
Centralization and the dark side of asset tokenization — MEXC exec

10-22     admin     8058 Reading
SEC Commissioner Calls for 7 Crypto Reforms That Corner Congress With Urgency

10-22     admin     8673 Reading
Coinbase Rallies Behind Incoming SEC Chair Promising Full Focus on Crypto Clarity

10-22     admin     6575 Reading
Sei Foundation Explores Buying 23andMe to Put Genetic Data on Blockchain

10-22     admin     15402 Reading
Darkweb actors claim to have over 100K of Gemini, Binance user info

10-22     admin     12609 Reading
Crypto.com probe by the SEC has officially closed, says CEO

10-22     admin     7386 Reading
Bear markets are temporary — airdrops are forever

10-22     admin     15053 Reading
The second wave of stablecoins is coming: 5 new common sense we need to know

10-22     admin     7063 Reading
Rethinking Ownership, Stablecoins, and Tokenization from First Principles

10-22     admin     16182 Reading
FDIC Clears Path for Bank Crypto Activities Without Prior Approval

10-22     admin     18514 Reading
Michael Saylor’s $200 Trillion Bitcoin Strategy: U.S. BTC Domination and Immortality

10-22     admin     12120 Reading
Bitcoin Miner MARA Starts Massive $2B Stock Sale Plan to Buy More BTC

10-22     admin     15971 Reading
Potential Bitcoin price fall to $65K ‘irrelevant’ since central bank liquidity is coming — Analyst

10-22     admin     16023 Reading
Trump SEC Pick Paul Atkins’ Crypto Ties Draw Sen. Warren’s Ire Ahead of Confirmation Hearing

10-22     admin     9494 Reading
SEC has officially closed its investigation into Crypto.com, CEO says

10-22     admin     14070 Reading

Copyright © Amazon Finance