top of page

Subscribe to our newsletter

Crocodilus Android Malware Targets Spain and Turkey: Mutes Alerts and Drains $2.8M in Crypto Wallets

  • Rescana
  • 9 minutes ago
  • 3 min read
Image for post about Android Malware Mutes Alerts, Drains Crypto Wallets

Executive Summary

A new Android malware family, dubbed Crocodilus, has been observed in the wild targeting users in Spain and Turkey, with confirmed infections exceeding 1,200 devices and over $2.8 million in cryptocurrency assets stolen within two weeks. Crocodilus leverages advanced abuse of Android accessibility services to perform device takeover, mute system alerts, and harvest sensitive credentials, including crypto wallet seed phrases. The malware is distributed via trojanized apps masquerading as Google Chrome and is notable for its sophisticated evasion and persistence techniques.


Technical Details

Infection Vector

  • Initial Access: Crocodilus is delivered via a fake Google Chrome app (package name:

    quizzical.washbowl.calamity

    ), acting as a dropper capable of bypassing Android 13+ restrictions.

  • Permissions: Upon installation, the app requests accessibility service permissions, which are then abused for full device control.

Capabilities

  • Device Takeover: Full remote control, including launching apps, sending SMS, retrieving contacts, and requesting device admin privileges.

  • Overlay Attacks: Displays black screen overlays to hide malicious activity and mutes device sounds to suppress alerts.

  • Credential Harvesting: Monitors all accessibility events, logs screen content, and captures credentials for banking and crypto apps.

  • Crypto Wallet Theft: Triggers social engineering overlays urging users to "backup" their seed phrases, which are then exfiltrated.

  • Google Authenticator Capture: Can trigger screen captures of Google Authenticator, potentially compromising 2FA.

  • Persistence & Evasion: Self-removal, C2 updates, keylogging, and making itself the default SMS manager.

Exploitation in the Wild

  • Victimology: Over 1,200 Android devices infected, primarily in Spain and Turkey.

  • Financial Impact: At least $2.8 million in cryptocurrency drained from victim wallets in two weeks (SecureBlink).

  • Distribution: Observed in the wild as a fake Chrome APK, likely distributed via phishing, third-party app stores, or malicious links.


Indicators of Compromise (IOCs)

  • Malicious APK Package Name:

    quizzical.washbowl.calamity

  • Behavioral IOCs:

  • Requests accessibility service permissions immediately after installation.

  • Displays overlays mimicking banking and crypto wallet apps.

  • Mutes device audio and displays persistent black screens.

  • Sends SMS to contacts and retrieves contact lists without user interaction.


MITRE ATT&CK Mapping

  • T1406: Credential Access via Overlay Attack

  • T1407: Input Capture via Accessibility Services

  • T1412: Abuse Device Administrator Permissions

  • T1411: Data from Local System (Harvesting seed phrases, contacts, SMS)

  • T1435: Disguise or Mimic Legitimate Apps (Fake Chrome dropper)

  • T1446: Device Lockout (Black screen overlays)

  • T1476: Deliver Malicious App via Third-Party App Store or Phishing


Threat Actor Attribution

  • Language: Debug messages and code analysis indicate Turkish-speaking authors.

  • Targeting: Focused on Spain and Turkey, but techniques are globally applicable.

  • APT/Group: No direct attribution to a known APT group as of this report; activity is consistent with financially motivated cybercrime groups.


Exploitation and Breach Reports

  • ThreatFabric: First technical analysis and discovery (ThreatFabric blog)

  • SecureBlink: Confirmed $2.8M in crypto theft and 1,200+ devices compromised (SecureBlink report)

  • The Hacker News: Detailed technical breakdown and exploitation method (The Hacker News)


Exploitation Tactics (TTPs)

  • Social Engineering: Fake overlays and urgent backup requests to trick users into revealing seed phrases.

  • Accessibility Abuse: Full device monitoring and control via accessibility services.

  • Stealth: Mutes alerts and uses black overlays to hide activity.

  • Remote Control: C2 communication for dynamic tasking and data exfiltration.


Mitigation Strategies

  • Block installation of apps from unknown sources and enforce Google Play Protect on all managed devices.

  • Monitor for requests for accessibility service permissions from non-legitimate apps.

  • Educate users on the risks of entering seed phrases or credentials into overlays or pop-ups, especially those urging urgent action.

  • Regularly audit installed apps for suspicious package names and permissions.

  • Implement mobile threat defense solutions capable of detecting overlay and accessibility abuse.


References


Conclusion

Crocodilus represents a significant escalation in Android malware sophistication, combining advanced accessibility abuse, stealth, and social engineering to drain crypto wallets and compromise financial data. Organizations and individuals should remain vigilant, enforce strict app installation policies, and monitor for signs of device compromise.

For further threat intelligence or incident response support, contact Rescana.


bottom of page