Crocodilus is a brand new piece of malware which has not done a lot of damage worldwide yet. It is starting to make its mark though and is only hitting certain places right now.
Per usual, this type of thing abuses the accessibility component of Android to get at your device. This is not the first time Malware has abused such tools, you could probably search android accessibility and get a tons of hits which will include this post.
A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access.
Although Crocodilus is a new banking malware, it features fully developed capabilities to take control of the device, harvest data, and remote control.
Researchers at fraud prevention company ThreatFabric say that the malware is distributed via a proprietary dropper that bypasses Android 13 (and later) security protections.
I think besides the accessibility issue, this paragraph should scare you right out of your chair. It says:
The dropper installs the malware without triggering Play Protect while also bypassing Accessibility Service restrictions.
Let’s continue.
What makes Crocodilus special is that it integrates social engineering to make victims provide access to their crypto-wallet seed phrase.
It achieves this through a screen overlay warning users to “back up their wallet key in the settings within 12 hours” or risk losing access to their wallet.
Bogus message served to cryptocurrency holders
Let’s see what Jaws Picture smart has to say about this picture We use it for teaching purposes only.
The image shows a warning message with a yellow caution symbol at the top. It instructs users to back up their wallet key in the settings within 12 hours. If not done, the app will be reset, potentially causing a loss of access to the wallet. There is a blue “Continue” button at the bottom.
When asking for more, it does indicate both with chatgpt and claud that the text indicates that you have 12 hours to backup your wallet.
“This social engineering trick guides the victim to navigate to their seed phrase (wallet key), allowing Crocodilus to harvest the text using its Accessibility Logger,” ThreatFabric explains.
“With this information, attackers can seize full control of the wallet and drain it completely,” the researchers say.
The article continues:
It is unclear how the initial infection occurs, but typically, victims are tricked into downloading droppers through malicious sites, fake promotions on social media or SMS, and third-party app stores.
When launched, Crocodilus gains access to Accessibility Service, normally reserved for aiding people with disabilities, to unlock access to screen content, perform navigation gestures, and monitor for app launches.
Jaws picture smart says:
The image shows a smartphone screen prompting the user to grant accessibility permission for an app to function properly. It features the Chrome logo and the message “Accessibility Permission Required.” Below, there is a colorful button labeled “Enable Accessibility.” A notification at the bottom says, “Please enable accessibility Android.”
While Chat GPT and Claud give different results, the basics when asking for mre details is pretty much the same with GPT giving more detail. Again, the malware abuses this to get at what it really wants, the wallet on your device.
There are also things it can do as a bot which includes but not limited to:
- Enable call forwarding
- Launch a specific application
- Post a push notification
- Send SMS to all contacts or a specified number
- Get SMS messages
- Request Device Admin privileges
- Enable a black overlay
- Enable/disable sound
- Lock screen
- Make itself the default SMS manager
It can also take a screen shot of the authenticator app, making two-factor authentication possible.
Right now, the targets include Turkey and Spain. This does not mean that it won’t make the list when it finally moves this way.
We took some of the most important things from this article. To read the whole article covering this, please read New Crocodilus malware steals Android users’ crypto wallet keys as this could eventually affect you.
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.
Shaun, This has to do with allowing programs to use things that accessibility tools when that program doesn’t nee do. I would suggest reading the article in full as this exfiltrates all kinds of data by bypassing the accessibility tools to get access to what it wants. This is not the first, go back and search for android accessibility as we stated.
Well, yet another accessibility bypass.
So what exactly is the issue.
Is it an issue with security bypass, a security issue with access module or is this something we haven’t seen yet?
I remember when firefox I think was it 3.6 or was it version 40, mozilla was well gettting annoyed with how insecure systems were.
So aparently they solved this by saying accessibility was the issue.
If you don’t use it or don’t need it, have it off.
That in itself may have been simple sence but I took offence to this.
I need accessibility, so if you remove accessibility to make the thing secure then you have already been defeated.
Luckily the new model they built to replace the old model has better accessibility and web standards built into it and like the new gmail I have grown to actually love it and would not care to drop back to the old interface but there was a time I did protest publically.
It is actually while even though its accessible and even though I am missing a few titles on it, I still appose steam.
Valve aint got a good track reccord with its users in fact more so I met a streamer of half life with a modified voice track for some of the caricters and I told him I enjoyed it and I was blind.
He was surprised but happy I did.
He explained to me that valve doesn’t have a nice attitude to its streams in particular when there are errors in the system .
That was ages ago at least 4 years so things may be indeed different but its now the principal.
How can I trust a company which couldn’t give a damn about its streams, let alone users in general that has a bad track reccord even if some of that is rumor.
Steam is accessible but valve didn’t make it like that by choice, it just happened and therefore I don’t trust them.
Pluss with my various issues, I shouldn’t be gaming, I get in enough pain by using the computer for what is required.
In fact now I am going into the autumn winter run I am going to have to change my night time playing to almost nothing because I need to get off the system and do something else 1 or 2 hours before I actually sleep.
So for me I guess the gamer side of me while still about aint what it was when I was a younger man.