Daily News Update: Sunday, March 31, 2025 (Australia/Melbourne)
Crocodilus malware is targets Android crypto wallets with social engineering, bypassing typical security measures to steal seed phrases. Microsoft's "Quick Machine Recovery" tool could automatically fix boot crashes caused by bad drivers or configurations, e.g. CrowdStrike's faulty update from 2024.
Crocodilus Android Malware Targets Crypto Wallets
A new Android malware, Crocodilus, has been identified by ThreatFabric. It's designed to steal cryptocurrency wallet seed phrases by tricking users with a fake warning overlay. This overlay prompts users to back up their wallet key, allowing the malware to harvest the text using its Accessibility Logger.
The malware is distributed via a proprietary dropper that bypasses Android 13 security protections and installs without triggering Play Protect. It also circumvents Accessibility Service restrictions. Once installed, Crocodilus uses social engineering to convince victims to provide access to their crypto-wallet seed phrase.
"This social engineering trick guides the victim to navigate to their seed phrase (wallet key), allowing Crocodilus to harvest the text using its Accessibility Logger. With this information, attackers can seize full control of the wallet and drain it completely."
Crocodilus has been observed targeting users in Turkey and Spain, focusing on bank accounts in those countries. The malware's bot component supports 23 commands, including call forwarding, SMS manipulation, and remote access trojan (RAT) functionality. The RAT functionality allows operators to tap the screen, navigate the UI, and even capture one-time passwords from Google Authenticator.
To hide its activities, Crocodilus can activate a black screen overlay and mute the device. Android users are advised to avoid downloading APKs from outside Google Play and to keep Play Protect active.
Bleeping Computer | "New Crocodilus malware steals Android users’ crypto wallet keys"
Microsoft's Quick Machine Recovery Tool for Windows 11
Microsoft is testing a new Windows 11 tool called Quick Machine Recovery, designed to remotely fix boot crashes caused by buggy drivers and configurations. This tool is part of Microsoft's Windows Resiliency Initiative, which aims to enhance system stability and reduce downtime.
The tool works by automatically booting to the Windows Recovery Environment when a new driver or configuration change prevents Windows 11 from starting properly. It connects to the Internet, sends crash data to Microsoft's servers, and allows Microsoft to remotely apply fixes, such as removing problematic drivers or updates.
The feature will eventually be enabled by default in Windows 11 Home, while enterprise users can customize its behavior in Windows 11 Pro and Enterprise via RemoteRemedation CSP or reagentc.exe. Microsoft plans to release a test remediation package for Insiders to test the feature.
Bleeping Computer | "Microsoft tests new Windows 11 tool to remotely fix boot crashes"
