Crocodilus Malware Targets Android Users in Spain, Turkey for Cryptocurrency Theft

Cybersecurity firm Threat Fabric has identified a new family of mobile-device malware named Crocodilus, which is designed to take over Android devices and steal cryptocurrency. This malware employs sophisticated techniques, including remote control, black screen overlays, and data harvesting through accessibility logging. The primary targets of Crocodilus are users in Spain and Turkey, with the malware masquerading as Google Chrome to bypass Android 13+ restrictions.

Once installed, Crocodilus requests permission to access Android's accessibility services, establishing contact with a remote server to receive instructions and target lists. The malware is capable of intercepting credentials by displaying fake overlays and capturing all activities performed on the screen. This includes triggering screen captures of the Google Authenticator application, allowing the malware to log all activities and gain full control of the wallets.

One of the most concerning features of Crocodilus is its ability to target cryptocurrency wallets. The malware displays an alert message urging victims to back up their seed phrases, a social engineering trick designed to guide users to their seed phrases, which are then harvested through the abuse of accessibility services. This allows the threat actors to drain the assets from the wallets.

Crocodilus also includes features such as launching specified applications, self-removal from the device, posting push notifications, sending SMS messages, retrieving contact lists, and requesting device admin privileges. The malware can enable a black overlay to conceal its actions and mute sounds, ensuring that its activities remain unnoticed by the victims.

The emergence of Crocodilus marks a significant escalation in the sophistication and threat level posed by modern malware. With its advanced device-takeover capabilities and remote control features, Crocodilus demonstrates a level of maturity uncommon in newly discovered threats. The malware's ability to exploit accessibility features to steal sensitive banking and cryptocurrency credentials highlights the need for enhanced security measures to protect users from such advanced threats.

Threat Fabric's Mobile Threat Intelligence team has found the malware targets users in Turkey and Spain but said the scope of use will likely broaden over time. They also speculate the developers could speak Turkish, based on the notes in the code, and added that a threat actor known as Sybra or another hacker testing out new software could be behind the malware.