Summary: A new Android malware named Crocodilus employs social engineering tactics to lure users into revealing their cryptocurrency wallet seed phrases. Disseminated through a sophisticated dropper that evades Android security, it allows attackers to hijack devices and compromise bank accounts. Initially reported in Turkey and Spain, it demonstrates extensive capabilities to remotely control the device and manipulate users, putting their financial assets at risk.
Affected: Android users, particularly cryptocurrency holders in Turkey and Spain
Keypoints :
- Prompts users to provide their wallet seed phrase via a fake warning to “backup”
- Bypasses Android 13 security features and Play Protect without triggering alerts
- Employs Accessibility Service to monitor and control app behavior
- Targets banking and cryptocurrency applications with overlay tactics to steal credentials
- Contains remote access trojan (RAT) capabilities allowing extensive control over the infected device
- Currently detected in Turkey and Spain, with potential for expanding its target range
- Users advised against downloading APKs outside Google Play and keeping Play Protect active