Threat Fabric’s Mobile Threat Intelligence (MTI) team, those chaps who spend their days wrestling digital gremlins, have issued a warning. Seems a new variant of the Crocodilus mobile malware is on the prowl, and this one’s got a taste for seed phrases. Automated, no less. Like a tiny, digital crocodile with a very specific diet.
Malware Features Seed-Phrase-Collecting Parser (Because Why Not?)
The aforementioned Mobile Threat Intelligence (MTI) team, bless their cotton socks, are waving red flags about this Crocodilus critter. Apparently, it’s not content with just being annoying; it now comes with an automated seed phrase collector. Originally spotted back in March, this digital beastie is apparently expanding its horizons, swapping European cafes for the sun-drenched beaches of South America. One can only assume it’s after a tan.
In their latest blog post, which I’m sure is riveting reading for those who enjoy that sort of thing, the MTI team revealed that this new Crocodilus variant has a particular fondness for cryptocurrency wallet applications. What makes it especially bothersome? Well, it’s got a parser, see. A parser that helps it hoover up seed phrases and private keys like a digital Roomba on a mission. ๐งน
While still relying on the accessibility logging feature (which sounds terribly dull, doesn’t it?) from previous versions, this updated malware has had a bit of a makeover. It now pre-processes logged on-screen data with the enthusiasm of a librarian alphabetizing a particularly messy shelf. This allows it to extract data in a specific format using regular expressions. Regular expressions! Honestly, who comes up with these names? Sounds like something you’d find in a particularly dusty spellbook. ๐งโโ๏ธ
“In our previous blog about Crocodilus,” the team explained, “we highlighted the interest of cybercriminals in cryptocurrency wallets as they were making victims open the wallet apps to further steal the data displayed on the screen.” (Yes, yes, we get it, you wrote a blog. Everyone’s a blogger these days.) “With additional parsing done on the device side, threat actors receive high-quality preprocessed data, ready to use in fraudulent operations like account takeover, targeting cryptocurrency assets of victims.” In other words, they’re making it easier for the bad guys to be bad. Efficiency, eh? ๐
Beyond the parser (which, let’s face it, is the star of the show), this updated malware can also fiddle with your contact list. The MTI team suspects this allows the attackers to add a phone number under a convincing name, like “Bank Support.” Because nothing says “trustworthy” like a phone call from someone you’ve never met claiming to be from your bank. This could then be used to call the victim while appearing legitimate, potentially bypassing fraud prevention measures that flag unknown numbers. Clever, in a dastardly sort of way. ๐
According to the MTI team, Crocodilus is currently wreaking havoc in Turkey and Spain, targeting users of major banks and cryptocurrency platforms. In Turkey, it’s disguised as an online casino, spreading through malicious advertisements and overlaying fake login pages on financial applications. Because who doesn’t love a bit of gambling with their financial security? ๐ฐ
In Spain, it’s masquerading as a fake browser update, aiming at pretty much every Spanish bank. Smaller campaigns have also been detected with global targets, affecting applications in Argentina, Brazil, the U.S., Indonesia, and India, the team added. So, basically, nowhere is safe. Time to invest in carrier pigeons, perhaps? ๐๏ธ
Read More
2025-06-11 10:00