Cybersecurity Firm Threat Fabric has said that it has found a new family of malicious software with mobile devices that can launch a false superposition for certain applications to encourage Android users to provide their cryptography seed sentences because it takes up the device.
Threatening fabric analysts said In a March 28 report that Crocodilus malware uses a screen superposition warning users to save their cryptographic portfolio key by a specific deadline or may lose access.
“Once a victim provides an application password, the superposition will display a message: will save your wallet key in the settings within 12 hours. Otherwise, the application will be reset, and you could lose access to your wallet,” said Threat Fabric.
“This social engineering tip guides the victim to navigate to his seed portfolio key, allowing Crocodilus to collect the text using its accessibility recording.”
Source: Threatening fabric
Once the threat actors have the seed phrase, they can enter total portfolio control and “empty it completely”.
The threat fabric says that, although it is a new malware, Crocodilus has all the characteristics of modern malware, with superposition attacks, advanced data harvest thanks to the screenshot of sensitive information such as passwords and remote access to take control of the infected device.
The initial infection occurs by inadvertently downloading malware in other software that bypasses Android 13 and security protections, according to Threat Fabric.
Once installed, Crocodilus requests an accessibility service to activate, which allows hackers to access the device.
“Once granted, the malware connects to the control and control server (C2) to receive instructions, including the list of target applications and the superimpositions to be used,” said Threat Fabric.
Once installed, Crocodilus requests the accessibility service to activate, granting pirates access to the device. Source: Threatening fabric
It runs continuously, surveillance of applications launches and displays overlays to intercept identification information. When a targeted banking or cryptocurrency application is open, the false superposition launches over and turns the sound while the hackers take control of the aircraft.
“With stolen PII and identification information, threat stakeholders can take total control of the aircraft of a victim using integrated remote access, ending fraudulent transactions without detection,” said Threat Fabric.
The Intelligence Team on Mobile Threats from Fabrix de Threat found that malware targets users in Türkiye and Spain, but said that the use of use would probably widen over time.
In relation: Beware of tradingview “cracked” – it’s a cryptographic Trojan
They also speculate that the developers could speak Turkish, based on the code notes, and added that a threat actor known as Sybra or another hacking testing new software could be the cause of malware.
“The emergence of the Banque de Banque Mobile Crocodilus marks a significant escalation of the level of sophistication and threat posed by modern malware.”
“With its advanced capacities of device device, its remote control features and the deployment of black superposition attacks from its first iterations, Crocodilus demonstrates an unusual level of maturity in newly discovered threats,” added Fabric.
Review: Ridiculous cryptographic scam “Chinese Mint”, Japan plunges into stabbed: Asia Express
