{"id":126118,"date":"2025-03-31T03:16:32","date_gmt":"2025-03-31T03:16:32","guid":{"rendered":"http:\/\/cryptospotters.net\/?p=126118"},"modified":"2025-03-31T03:16:32","modified_gmt":"2025-03-31T03:16:32","slug":"android-malware-crocodilus-can-take-over-phones-to-steal-crypto","status":"publish","type":"post","link":"http:\/\/cryptospotters.net\/?p=126118","title":{"rendered":"Android malware \u2018Crocodilus\u2019 can take over phones to steal crypto"},"content":{"rendered":"<p>Source: Cointelegraph.com NewsCybersecurity firm Threat Fabric says it has found a new family of mobile-device malware that can launch a fake overlay for certain apps to trick Android users into providing their crypto seed phrases as it takes over the device.<br \/>\nThreat Fabric analysts said in a March 28 report that the Crocodilus malware uses a screen overlay warning users to back up their crypto wallet key by a specific deadline or risk losing access.<br \/>\n\u201cOnce a victim provides a password from the application, the overlay will display a message: Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset, and you may lose access to your wallet,\u201d Threat Fabric said.\u00a0<br \/>\n\u201cThis social engineering trick guides the victim to navigate to their seed phrase wallet key, allowing Crocodilus to harvest the text using its accessibility logger.\u201d\u00a0<br \/>\nSource: Threat FabricOnce the threat actors have the seed phrase, they can seize complete control of the wallet and \u201cdrain it completely.\u201d\u00a0<br \/>\nThreat Fabric says despite it being a new malware, Crocodilus has all the features of modern banking malware, with overlay attacks, advanced data harvesting through screen capture of sensitive information such as passwords and remote access to take control of the infected device.\u00a0<br \/>\nInitial infection occurs by inadvertently downloading the malware in other software that bypasses Android 13 and security protections, according to Threat Fabric.\u00a0<br \/>\nOnce installed, Crocodilus requests accessibility service to be enabled, which enables the hackers to gain access to the device.\u00a0<br \/>\n\u201cOnce granted, the malware connects to the command-and-control (C2) server to receive instructions, including the list of target applications and the overlays to be used,\u201d Threat Fabric said.\u00a0<br \/>\nOnce installed, Crocodilus requests accessibility service to be enabled, granting hackers access to the device. Source: Threat FabricIt runs continuously, monitoring app launches and displaying overlays to intercept credentials. When a targeted banking or cryptocurrency app is opened, the fake overlay launches over the top and mutes the sound while the hackers take control of the device.\u00a0\u00a0<br \/>\n\u201cWith stolen PII and credentials, threat actors can take full control of a victim\u2019s device using built-in remote access, completing fraudulent transactions without detection,\u201d Threat Fabric said.\u00a0<br \/>\nThreat Fabrix\u2019s Mobile Threat Intelligence team has found the malware targets users in Turkey and Spain but said the scope of use will likely broaden over time.\u00a0<br \/>\nRelated: Beware of \u2018cracked\u2019 TradingView \u2014 it\u2019s a crypto-stealing trojan<br \/>\nThey also speculate the developers could speak Turkish, based on the notes in the code, and added that a threat actor known as Sybra or another hacker testing out new software could be behind the malware.\u00a0<br \/>\n\u201cThe emergence of the Crocodilus mobile banking Trojan marks a significant escalation in the sophistication and threat level posed by modern malware.\u201d\u00a0<br \/>\n\u201cWith its advanced Device-Takeover capabilities, remote control features, and the deployment of black overlay attacks from its earliest iterations, Crocodilus demonstrates a level of maturity uncommon in newly discovered threats,\u201d Threat Fabric added.\u00a0<br \/>\nMagazine: Ridiculous \u2018Chinese Mint\u2019 crypto scam, Japan dives into stablecoins: Asia Express<a href=\"https:\/\/cointelegraph.com\/news\/andriod-malware-crocodilus-can-take-over-phones-to-steal-crypto?utm_source=rss_feed&amp;utm_medium=rss&amp;utm_campaign=rss_partner_inbound\" target=\"_blank\" class=\"feedzy-rss-link-icon\" rel=\"noopener\">Read More<\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>Source: Cointelegraph.com NewsCybersecurity firm Threat Fabric says it has found a new family of mobile-device malware that can launch a fake overlay for certain apps to trick Android users into&hellip; <\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"_links":{"self":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/posts\/126118"}],"collection":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=126118"}],"version-history":[{"count":0,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/posts\/126118\/revisions"}],"wp:attachment":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=126118"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=126118"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=126118"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}