{"id":22549,"date":"2025-03-31T10:32:51","date_gmt":"2025-03-31T07:32:51","guid":{"rendered":"https:\/\/forklog.com\/en\/experts-uncover-android-trojan-targeting-crypto-wallets\/"},"modified":"2025-03-31T10:32:51","modified_gmt":"2025-03-31T07:32:51","slug":"experts-uncover-android-trojan-targeting-crypto-wallets","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/experts-uncover-android-trojan-targeting-crypto-wallets\/","title":{"rendered":"Experts Uncover Android Trojan Targeting Crypto Wallets"},"content":{"rendered":"<p>Experts at Threat Fabric have identified a new family of malware for Android mobile devices. The Trojan targets specific banking applications and popular cryptocurrency wallets.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">A new mobile banking Trojan has emerged\u2014<a href=\"https:\/\/twitter.com\/hashtag\/Crocodilus?src=hash&#038;ref_src=twsrc%5Etfw\">#Crocodilus<\/a>. Discovered during regular threat hunting, it\u2019s already showing capabilities that rival top malware families, including device takeover and advanced credential theft.<a href=\"https:\/\/t.co\/RlyfFxUYHe\">https:\/\/t.co\/RlyfFxUYHe<\/a><a href=\"https:\/\/twitter.com\/hashtag\/BankingTrojan?src=hash&#038;ref_src=twsrc%5Etfw\">#BankingTrojan<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/ThreatFabric?src=hash&#038;ref_src=twsrc%5Etfw\">#ThreatFabric<\/a> <a href=\"https:\/\/t.co\/47zPbPfFad\">pic.twitter.com\/47zPbPfFad<\/a><\/p>\n<p>\u2014 ThreatFabric (@ThreatFabric) <a href=\"https:\/\/twitter.com\/ThreatFabric\/status\/1905594702671274428?ref_src=twsrc%5Etfw\">March 28, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The malware, named Crocodilus, is capable of conducting attacks with <span data-descr=\"image overlay over the main screen\" class=\"old_tooltip\">overlays<\/span>, performing <span data-descr=\"tracking all keystrokes or screen actions\" class=\"old_tooltip\">keylogging<\/span>, providing remote access to the device, and executing &#8220;hidden&#8221; operations.<\/p>\n<p>Initially, the virus is installed via a dropper that bypasses the restrictions of Android 13 and newer. Once deployed, the software requests the activation of the Accessibility Service, and upon receiving permission, connects to a command server. <\/p>\n<p>Crocodilus operates continuously, monitoring the launch of targeted applications and displaying overlays to intercept credentials. As soon as a user enters a password or PIN for a crypto wallet, they receive a prompt to back up their private key. Using this information, attackers can gain full control over the application and withdraw all funds.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/crypto_message_cut.webp\" alt=\"crypto_message_cut\" class=\"wp-image-255259\"\/><figcaption class=\"wp-element-caption\">Source: Threat Fabric.<\/figcaption><\/figure>\n<p>Crocodilus records all actions performed by the victim through text changes on the screen, functioning as a keylogger. Additionally, the Trojan captures the Google Authenticator screen, transmitting <span data-descr=\"One Time Password\" class=\"old_tooltip\">OTP<\/span> codes to the attackers.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cUsing stolen personal and account data, attackers can gain full control over the victim&#8217;s device, using built-in remote access to conduct fraudulent transactions without detection,\u201d noted Threat Fabric experts.<\/p>\n<\/blockquote>\n<p>Crocodilus can display a black screen and mute sound when applications are in use, making fraudulent activities on the device invisible to the user. <\/p>\n<p>Experts emphasized that even in its early versions, the Trojan demonstrates \u201ca level of maturity uncharacteristic of newly discovered threats.\u201d <\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cCrocodilus, already observed in attacks on banks in Spain and Turkey, as well as popular cryptocurrency wallets, is clearly designed to hunt for high-value assets,\u201d they added.<\/p>\n<\/blockquote>\n<p>As reported in the weekly cybersecurity digest, ForkLog covered the most important news from the world of cybersecurity in its <a href=\"https:\/\/forklog.com\/en\/news\/elephant-coin-scams-a-signal-misfire-and-other-cybersecurity-news\">traditional digest<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Experts at Threat Fabric have identified a new family of malware for Android mobile devices. The Trojan targets specific banking applications and popular cryptocurrency wallets. A new mobile banking Trojan has emerged\u2014#Crocodilus. Discovered during regular threat hunting, it\u2019s already showing capabilities that rival top malware families, including device takeover and advanced credential theft.https:\/\/t.co\/RlyfFxUYHe#BankingTrojan #ThreatFabric pic.twitter.com\/47zPbPfFad [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":22548,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1634,44,1111],"class_list":["post-22549","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-android","tag-cybercrime","tag-cybersecurity"],"aioseo_notices":[],"amp_enabled":true,"views":"34","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/22549","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=22549"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/22549\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/22548"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=22549"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=22549"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=22549"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}