A New Malicious Code Crocodilus targeting Android cryptocurrency wallets has been discovered. The name is given because there are crocodile-related phrases inserted throughout the code. This cunning malware infiltrates devices and siphons off users’ digital assets, specifically targeting devices running Android 13 and above. Crocodilus employs a trifecta of attack vectors: overlay techniques, remote access, and social engineering tactics.
According to blockchain media CoinTelegraph on Tuesday, Crocodilus initiates its attack by requesting accessibility service permissions. Once granted, it establishes a connection with the attacker’s command and control (C2) server. This connection enables the malware to generate screen overlays, enable keylogging, and take remote control of the infected device. The most insidious aspect of Crocodilus is its ability to display fake backup notifications when users attempt to log into their cryptocurrency wallet apps. This tactic tricks users into entering their seed phrases, which are then instantly transmitted to the attacker, facilitating the theft of assets.
Perhaps most alarmingly, Crocodilus has demonstrated the ability to circumvent two-factor authentication (2FA). It accomplishes this by capturing authentication codes from apps like Google Authenticator through screen recording and relaying them to the C2 server. The malware can even create the illusion that the device is locked by displaying a black screen and muting audio, further deceiving the user.
Cybersecurity experts are urging immediate action for anyone who suspects their device may be infected. If a wallet app displays suspicious backup notifications, users are advised to delete the app immediately and perform a factory reset on their device. Blockchain analytics firm Chainalysis reports that in 2024 alone, cryptocurrency hacks resulted in the theft of assets valued at 51 billion USD. Experts predict that the scale of such attacks will only increase in 2025.
