A new Android banking malware called Crocodilus is targeting crypto wallet credentials through advanced social engineering, according to Threat Fabric.
Distributed via a proprietary dropper that evades Android 13+ restrictions, Crocodilus features overlay attacks, keylogging, remote access, and hidden control capabilities.
Unlike previous malware like SpyAgent, Crocodilus excels in device takeover and credential theft.
It tricks users into enabling Accessibility Services, then uses overlays to mimic legitimate apps and steal data, initially targeting banks and crypto wallets in Spain and Turkey, with expected global expansion.
It bypasses two-factor authentication by capturing Google Authenticator codes via screen recording.
Uniquely, it displays fake prompts urging victims to "back up" wallet keys within 12 hours, guiding them to reveal seed phrases, which are logged and sent to a command-and-control server, enabling attackers to drain wallets completely. Show Less
