Fake Screens, Real Theft: Crocodilus Malware Targets Android Crypto Users

According to a March 28 report by Threat Fabric, a cybersecurity company, Crocodilus displays a message that urges users to back up their crypto wallet key within a short time. The message claims that failing to do so could result in losing access to the wallet.

Once the phrase is visible on the screen, the malware records the text through a tool that monitors screen activity. If the attacker gets the full recovery phrase, they can access the wallet and move all its contents.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

What is an NFT? (Explained with Animations)

SUBSCRIBE

ON YOUTUBE

Although Crocodilus is a new threat, it includes several features found in advanced malware. These include fake overlays, the ability to take control of a device, and tools to collect passwords and other sensitive data.

Threat Fabric says the malware contacts a remote server after installation. It receives commands from this server, including which apps to target and which fake screens to show. The malware stays active in the background and checks what apps are opened. If a crypto or banking app is launched, Crocodilus displays a fake screen over it to gather login details.

It also mutes the sound while operating, so users may not notice anything unusual. With access to passwords and other personal details, attackers can use the phone remotely and make transactions without setting off alarms.

On March 18, cybersecurity firm Malwarebytes discovered that scammers were promoting a counterfeit version of TradingView Premium. What did the fake platform do? Read the full story.