news 
New Android Malware Crocodilus Uses Social Tricks To Steal Crypto Keys
Cybersecurity experts are sounding the alarm over a newly discovered Android malware called Crocodilus, which has been found to be using social engineering tactics to steal sensitive cryptocurrency wallet credentials. With its ability to evade detection and exploit vulnerabilities, this malicious software poses a significant threat to the security of mobile users worldwide.
Crocodilus is distributed through a proprietary dropper that bypasses Android 13 and later security protections, effectively evading Google’s Play Protect system. Once installed, it requests access to the Accessibility Service, which allows it to monitor screen content, simulate gestures, and interact with apps. This feature is intended to assist users with disabilities but has become a significant attack vector for malware.
The malware’s social engineering tactics are particularly concerning as they aim to deceive users into revealing their crypto wallet seed phrase within 12 hours or risk losing access. This prompt is designed to trick victims into navigating to their wallet’s seed phrase, which the malware logs using an Accessibility Logger. With access to this information, attackers can seize full control of the wallet.
Crocodilus also has a range of other capabilities, including:
* Loading fake overlays on top of banking or crypto apps to intercept credentials
* Allowing attackers to enable call forwarding, read and send SMS messages, post push notifications, launch applications, lock the screen, gain device admin privileges, set itself as the default SMS manager, mute or enable sound, activate a black overlay, and perform screen taps, swipe gestures, and take screenshots
* Providing Remote Access Trojan features that allow attackers to capture one-time passwords used for multi-factor authentication
The malware’s bot component supports 23 commands, enabling it to perform a range of malicious activities. Furthermore, it can activate a black screen overlay and mute the device while executing these operations, making it appear as if the device is locked or inactive.
While the method of initial infection has not been fully confirmed, it is believed that malicious websites, fake promotions on social media or SMS, and third-party app stores may be involved.
Source: https://www.forbes.com/sites/alexvakulov/2025/03/30/new-android-malware-crocodilus-uses-social-tricks-to-steal-crypto-keys/
