Crocodilus: New Android Malware Remotely Controls Devices To Hijack Crypto Wallets

Security threats are always hounding the cryptocurrency industry, especially now when adoption is increasing and more people are exploring the big world of digital assets. Recently, a cybersecurity team detected a new family of malware that targets Android devices designed to steal crypto assets, Crocodilus.

Cybersecurity firm ThreatFabric revealed in a recent report that the new "highly capable" malware was equipped with modern techniques to take control of Android devices remotely.

Cybersecurity experts warn against "fully-fledged threat"

According to the team at ThreatFabric, Crocodilus utilizes a modus operandi similar to what threat experts see from a "modern Device Takeover banking Trojan."

The initial installation is completed through a proprietary dropper that bypasses Android restrictions for users aged above 13 years, and once installed, Crocodilus will request the enabling of Accessibility Service.

After a user grants the request, the malware will take over the device and will run continuously. ThreatFabric noted that "cryptocurrency wallets" were among the targets observed.

"Crocodilus enters the scene not as a simple clone, but as a fully-fledged threat from the outset, equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging," the experts wrote.

Novel malware attacking crypto wallets via "engineering trick"

ThreatFabric pointed to a "notable detail" on how Crocodilus attacked crypto wallets.

When a victim provides a password or PIN from the application, an overlay will display a message that tells them to back up their wallet key, or they will lose access.

The said "engineering trick" will then guide the victim to navigate to their seed phrase, "allowing Crocodilus to harvest the text using its Accessibility Logger."

Once the data is harvested, the threat actors "can seize full control of the wallet and drain it completely."

What message is Crocodilus trying to send?

The ThreatFabric team said the rise of the new mobile banking Trojan marked a massive "escalation in the sophistication and threat level posed by modern malware."

Crocodilus' notable device takeover capabilities and remote control features demonstrate a much higher level of maturity not usually detected in new threats.

So far, the team has observed attacks on "popular cryptocurrency wallets" but did not specify which wallets have been targeted.

As per the Forbes Best Crypto Wallets rankings, the top 5 are Coinbase Wallet Web3, MetaMask Crypto Wallet, Crypto.com DeFi Wallet, Exodus Crypto Wallet, and Gemini Crypto Wallet.

The team advised financial institutions to adopt a layered security approach in their systems that also employs thorough device and behavior-based risk analysis on customer devices to ensure that attacks from malware like Crocodilus can be prevented.

The report came some two weeks after Microsoft revealed it has discovered a new Trojan malware, StilachiRAT, which operated with stealth and employed sophisticated techniques to breach crypto wallets.