Hackers use New Crocodilus malware to steal Android users’ crypto wallet keys 

Security researchers are warning about a new and dangerous Android malware. The malware, dubbed “Crocodilus,” is actively targeting cryptocurrency users by stealing their critical wallet seed phrases. It utilizes sophisticated techniques to bypass Android’s security measures, thus posing a significant threat to users and their systems. 
 
Crocodilus operates by disguising itself as a legitimate application and tricks users into entering their sensitive seed phrases using warnings of security backup. The malware generates a convincing fake warning on the user screen asking them to back up their wallet key settings within 12 hours or else they could lose access to their wallet. It utilizes social engineering to create a sense of urgency, and once the victim enters the information, the data is recorded using its Accessibility Logger and transmitted by Crocodilus to the attackers, granting them full control over the victim’s cryptocurrency assets. 
 
As per researchers, Crocodilus is distributed using a custom dropper that allows it to install itself without requiring typical user permissions, providing it the capability to evade Google Play Protect’s built-in defenses. Another particularly dangerous aspect is that it can also bypass the security enhancements introduced in Android 13 and later versions. 
 
Crocodilus can not only perform seed phrase theft but also has additional malicious capabilities, including remote device control, keylogging, data harvesting, and remote code execution. Its remote access trojan (RAT) functionality enables malicious actors to tap on the screen, navigate the user interface, perform swipe gestures, and more. It can also take a screenshot of the Google Authenticator application and capture OTP codes used for 2FA account protection by using a dedicated RAT command. What’s concerning is that while performing these actions, hackers can make it appear as if the device is locked by activating a black screen overlay and muting the device. Despite being a new malware, these functionalities make Crocodilus a potent tool for both financial theft and potential cyber espionage.  
 
As per the observations, Crocodilus’ victims include users in Turkey and Spain, and the malware is suspected to be of Turkish origin. Security experts are emphasizing exerting extreme caution when downloading Android applications. Users are advised to download apps from the official Google Play Store only, activate Play Protect on their devices, and never enter seed phrases into applications unless they are performing a legitimate wallet recovery. They also advise users to be cautious of any urgent security warnings that demand immediate action and to consider using hardware wallets for enhanced security.