Nowadays, a lot of people manage their cryptocurrencies from their cell phones. It's convenient, fast and everything is just a couple of taps away. But that convenience also brings its risks, and some of them are quite serious. One of the most recent is Crocodilus, a new Android malware that not only steals your crypto keys, but can take full control of your device without you even realizing it.
Unlike other viruses, this bug comes with a dangerous combo: it uses social engineering techniques to trick you into asking for your wallet's seed phrase, presenting itself as a supposed system warning. It tells you that you have to back up your password “within 12 hours” or you could lose access to your wallet. All fake, of course, but very convincing.
Behind Crocodilus there is a well-armed structure. According to researchers at ThreatFabric, the malware is distributed via a custom dropper that manages to bypass security measures in Android 13 and newer versions. It even installs the malware without activating Play Protect and bypasses accessibility service restrictions, allowing it to remotely control the device, collect sensitive information and spy on the user without arousing suspicion.
How does Crocodilus empty your accounts?
Crocodilus' goal is crystal clear: to steal the keys to your crypto wallets. And it does it in a pretty cunning way. When you open a financial or cryptocurrency-related app, this malware may display a fake screen on top of it (like a kind of “ghost screen”) that looks totally real.
For example, you may get an urgent warning saying that you need to back up your seed phrase (that key that gives access to your entire wallet) and that, if you don't do it in less than 12 hours, you could lose everything. Obviously, that generates panic in more than one, and that's where many end up falling for it and typing the whole phrase without realizing that they are giving it directly to the malware.
Once the attackers have that phrase. They can empty your account in minutes. But that's not all. Crocodilus can also steal authentication codes, like the ones you generate with apps like Google Authenticator. And if you thought that was already too much, it can also do things like forward calls, send SMS from your phone without your knowledge and even lock your cell phone screen so you can't do anything. It literally locks you out of your own phone.
At first, Crocodilus started out targeting users in Turkey and Spain, and was even messing with local bank accounts. From some messages left by the malware itself during its execution, everything points to the fact that it might have been created in Turkey... although this is not 100% confirmed.
What is certain is that the way it reaches phones is not always clear. In most cases, victims end up downloading the malware without realizing it, through fake sites, misleading promotions on social networks, text messages with weird links or unofficial app stores.
Once installed, Crocodilus asks for access to the Accessibility Service (a tool that, in theory, is meant to help people with disabilities), but in this case is used for rather shady purposes. Thanks to that, the malware can see what happens on the screen, simulate gestures as if you were touching the phone, and even spy on what apps you open.
Request the use of the system's Accessibility Service.
This malware comes loaded with features. The “bot” inside can execute up to 23 different commands on the device. Some of the most worrisome ones include:
- Activate call forwarding
- Open specific apps
- Display fake push notifications
- Sending SMS to all your contacts (or to one specific one)
- Reading incoming text messages
- Ask for phone administrator privileges
- Show a black screen to hide what's going on
- Mute the device's sound
- Lock the screen so that you can't use the cell phone
- Become the main SMS manager
In addition, it works as a remote access Trojan (RAT), which means that attackers can manage your phone remotely: touch the screen, swipe, browse apps, all as if they had it in their hands.
While all this is going on, Crocodilus can hide its activity by displaying a completely black screen and muting the phone, so the victim thinks it's locked or that nothing weird is going on.
For now, this malware has been mainly targeting users in Spain and Turkey, but it would not be unusual for it to expand its reach soon and start targeting more countries and applications.
Read more: New RAT Malware Used for Cryptocurrency Theft
How can you protect yourself?
As it usually happens in security matters, the best thing to do is to prevent before it's too late. Here are some easy but very useful tips to keep your cell phone (and your crypto) well protected:
- Install apps only from trusted sources: Avoid downloading apps from weird sites or links you see around. Use the Play Store and, if you can, check the reviews before installing anything.
- Beware of suspicious links: If you get a text message or an email with a strange link, don't click on it. Even if it looks real, it is better to be suspicious.
- Pay attention to the permissions that apps ask for: If an app asks you to activate accessibility and it has nothing to do with that, do not allow it. This permission can give it a lot of control over your phone.
- Enable two-step verification: Add an extra layer of security with SMS codes or by using apps like Google Authenticator. It never hurts.
- And if your phone starts acting weird: Does it freeze, does it get hot for no reason or do you see notifications that shouldn't be there? Better turn off the WiFi or put it in airplane mode and check calmly if there is something you do not recognize. It may be warning you that something is wrong.
Conclusión
Crocodilus is not just any malware: it is a real threat, silent and very well designed to steal the most valuable things from your digital wallets. It takes advantage of carelessness, poorly granted permissions and deceptive tactics to take control of your device and empty your accounts in a matter of minutes.
So far, the cases detected have been concentrated in Spain and Turkey, but that does not mean that other countries are free of risk. On the contrary, this type of malware can spread quickly, adapt and start attacking in other regions without warning. Therefore, it is better to be prepared now.
The best way to protect yourself is to be informed and take precautions from the beginning. It is not about living in fear, but about using technology with awareness. Install apps only from trusted sources, check the permissions you give and always keep the security measures you have at hand activated.
