Source: Cointelegraph Original: "{title}"
Cybersecurity company Threat Fabric has reported the discovery of a new family of mobile malware that can generate fake overlay interfaces for specific applications, deceiving Android users into providing their cryptocurrency recovery phrases and taking over their devices in the process.
Analysts at Threat Fabric noted in a report on March 28 that the Crocodilus malware utilizes screen overlay techniques to warn users to back up their cryptocurrency wallet keys within a specified timeframe, or risk losing access.
"When victims enter their passwords in the application, the overlay interface displays a message: Please go to settings to back up your wallet keys within 12 hours, or the application will be reset, and you may lose access to your wallet," Threat Fabric stated.
"This social engineering scam guides victims to the recovery phrase wallet key page, allowing Crocodilus to use its accessibility logger to steal the relevant text."
Source: Threat Fabric
Once attackers obtain the recovery phrase, they can take full control of the wallet and "completely drain" the funds.
Threat Fabric stated that although Crocodilus is a new type of malware, it possesses all the characteristics of modern banking malware, including overlay attacks, advanced data collection capabilities for stealing sensitive information such as passwords through screenshots, and remote access to control infected devices.
According to Threat Fabric's report, initial infections typically occur when users inadvertently download other software containing the malware, which can bypass Android 13 and its security mechanisms.
After installation, Crocodilus requests the activation of accessibility services, and once users grant permission, hackers can access and control the device.
"Once permission is obtained, the malware connects to a command and control (C2) server to receive instructions, including a list of target applications and the overlay interface to be used," Threat Fabric stated.
After installation, Crocodilus requests the activation of accessibility services, allowing hackers to access the device. Source: Threat Fabric
It continues to run, monitoring application launches and displaying overlay interfaces to intercept credential information. When victims open the target banking or cryptocurrency application, the fake overlay interface is immediately activated, while the device's sound is muted, allowing hackers to take control of the device. "With the stolen personally identifiable information (PII) and credentials, attackers can use the built-in remote access feature to gain complete control of the victim's device, enabling them to carry out fraudulent transactions without detection," Threat Fabric stated.
Threat Fabric's mobile threat intelligence team found that the malware primarily targets users in Turkey and Spain, but it is expected that the attack range will expand in the future.
Additionally, the team speculated that the malware developers may speak Turkish, as comments in the code indicate the use of the Turkish language. They also mentioned that a threat actor named Sybra, or another hacker testing new software, could be behind the malware.
"The emergence of the Crocodilus mobile banking Trojan marks a significant upgrade in the complexity and threat level of modern malware."
"With its advanced device takeover capabilities, remote control features, and black overlay attacks deployed since its earliest versions, Crocodilus demonstrates an uncommon new level of threat maturity," Threat Fabric added.
Related: Hyperliquid falls victim to lightning strikes "pulling the plug" to save itself, smashing DEX signs. Is CEX entering to stabilize the market or stabbing from behind?
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
