The Mobile Threat Intelligence (MTI) team at Threat Fabric has issued a warning to cryptocurrency users about a new variant of mobile malware, Crocodilus, which now includes an automated seed phrase collector. Originally identified in March, this malware is reportedly expanding its target list from European countries to include users in South America.

In its latest blog post, the MTI team stated that the new variant of Crocodilus specifically targets cryptocurrency wallet applications. What makes this variant particularly concerning is its additional parser, which helps extract seed phrases and private keys from specific wallets.

While still based on the accessibility logging feature present in earlier variants, the updated malware includes improved preprocessing of logged on-screen data. This enhancement allows for the extraction of data in a specific format using regular expressions before it is displayed.

“In our previous blog about Crocodilus, we highlighted the interest of cybercriminals in cryptocurrency wallets as they were making victims open the wallet apps to further steal the data displayed on the screen,” the team explained. “With additional parsing done on the device side, threat actors receive high-quality preprocessed data, ready to use in fraudulent operations like account takeover, targeting cryptocurrency assets of victims.”

Beyond the additional parser, the updated malware features a capability that allows cybercriminals to modify the contact list on an infected device. The MTI team suspects this feature enables attackers to add a phone number under a convincing name, such as “Bank Support.” This contact could then be used to call the victim while appearing legitimate, potentially bypassing fraud prevention measures that flag unknown numbers.

According to the MTI team, Crocodilus is actively conducting cyber campaigns in Turkey and Spain, targeting users of major banks and cryptocurrency platforms. In Turkey, it disguises itself as an online casino and spreads through malicious advertisements, overlaying fake login pages on financial applications.

In Spain, it is distributed as a fake browser update, aiming at nearly all Spanish banks. Smaller campaigns have also been detected with global targets, affecting applications in Argentina, Brazil, the U.S., Indonesia, and India, the team added.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。