Android malware Crocodilus steals crypto by tricking users with fake app overlays, bypassing security

From Cointelegraph

March 30, 2025 10:21 PM:

Cybersecurity firm Threat Fabric uncovers new mobile-device malware called Crocodilus that tricks Android users into providing crypto seed phrases by using fake app overlays. Once seed phrase is obtained, hackers can take control of wallets and drain them completely. The malware bypasses Android 13 security protections and gains access through enabling accessibility service. Source: Threat Fabric

Crocodilus has features of modern banking malware, including overlay attacks, data harvesting, and remote access. It exploits inadvertent downloads, gains control through accessibility service, and connects to a command-and-control server for instructions. The malware continuously monitors app launches, displays overlays, and intercepts credentials. Hackers can take full control and complete fraudulent transactions undetected. Source: Threat Fabric

Threat Fabric’s Mobile Threat Intelligence team identifies Crocodilus targeting users in Turkey and Spain, with potential for broader use. Developers may speak Turkish based on code notes, and a threat actor known as Sybra could be involved. Crocodilus represents a significant escalation in malware sophistication, with advanced capabilities and black overlay attacks. Source: Threat Fabric

Read more at Cointelegraph: Android malware ‘Crocodilus’ can take over phones to steal crypto