ANDROID MALWARE TARGETS USERS OF 32 CRYPTO APPS, INCLUDING COINBASE, BITPAY

Last updated: October 24, 2025, 14:27 | Written by: Juno Wren

Android Malware Targets Users Of 32 Crypto Apps, Including Coinbase, Bitpay
Android Malware Targets Users Of 32 Crypto Apps, Including Coinbase, Bitpay

Imagine waking up one morning to find your cryptocurrency wallet drained, your bank account emptied, and your financial life turned upside down.This nightmare scenario is becoming increasingly real for Android users, as a sophisticated new strain of Trojan malware is actively targeting popular crypto apps like Coinbase, BitPay, and Bitcoin Wallet, as well as major banking institutions. The malware primarily targets users of financial and cryptocurrency apps, leveraging Android Accessibility Services to gain full visibility and control over user interactions. Functions Overlay Attacks: Uses HTML overlays served from C2 servers to mimic legitimate banking/crypto app screens.This isn't just a minor nuisance; it's a full-blown assault on your digital assets, engineered to steal your funds and compromise your personal information.This insidious malware, sometimes referred to as “Gustuff” or ""Crocodilus,"" employs advanced techniques like overlay attacks and Accessibility Service abuse to bypass security measures and gain complete control over your device and financial accounts. See full list on bleepingcomputer.comIf you use these apps on your Android phone, you're potentially at risk. A previously unreported advanced banking trojan named Gustuff can steal funds from accounts at over 100 banks across the world and rob users of 32 cryptocurrency Android apps. The threat sellsIt's time to understand the threat, learn how to protect yourself, and take immediate action to secure your digital future.We'll explore the ins and outs of this malware, the tactics it uses, and, most importantly, how you can shield yourself from becoming a victim.Don't wait until it's too late; knowledge is your first line of defense in this digital battleground.

Understanding the Android Malware Threat Targeting Crypto Apps

data apps guide
data apps guide

The digital landscape is constantly evolving, and so are the threats lurking within it.This new Android malware represents a significant escalation in the ongoing battle between security researchers and cybercriminals.What sets it apart from previous threats? The company detailed that it is specifically targeting 32 crypto exchanges including Coinbase, BitPay, and Bitcoin Wallet. In addition, Android applications of major banks like Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, and PNC Bank are also not immune to Gustuff.Let's delve into the key characteristics that make this malware so dangerous.

Key Features of the Malware

  • Wide Range of Targets: The malware isn't just focused on cryptocurrency.It casts a wide net, targeting users of both crypto wallets and traditional banking apps.
  • Accessibility Service Abuse: It leverages Android Accessibility Services, designed to help users with disabilities, to gain full control over user interactions and sensitive data.
  • Overlay Attacks: It uses HTML overlays, served from command-and-control (C2) servers, to mimic legitimate banking and crypto app screens. Um novo tipo de malware Trojan para telefones Android tem como alvo usu rios globais dos principais aplicativos de cripto, como Coinbase, BitPay e Bitcoin Wallet. Malware para Android atinge usu rios de 32 aplicativos de cripto, incluindo Coinbase e BitPayThis deceives users into entering their credentials into fake interfaces.
  • Remote Control Capabilities: Some variants feature remote control functionality, allowing attackers to take complete control of the infected device.
  • Data Auto-Filling: The malware can automatically fill in data fields, even in legitimate apps, with malicious information, streamlining the theft process.

This combination of features makes the malware particularly potent, as it can bypass many traditional security measures and trick even tech-savvy users into compromising their own accounts.

Which Crypto and Banking Apps Are at Risk?

Knowing which apps are being targeted is crucial for assessing your personal risk. In this case, a wide array of apps for both crypto and traditional finance are targeted, including Coinbase, BitPay, J.P. Morgan, Wells Fargo and more. One other nasty trick it can do is auto-fill in data fields even in legitimate apps with malicious information.While the list may evolve as the malware adapts, the following apps have been identified as primary targets:

Targeted Cryptocurrency Apps:

  • Coinbase
  • BitPay
  • Bitcoin Wallet
  • Cryptopay
  • (And many more - reportedly up to 32 crypto apps)

Targeted Banking Apps:

  • Bank of America
  • Bank of Scotland
  • J.P.Morgan
  • Wells Fargo
  • Capital One
  • TD Bank
  • PNC Bank
  • (And over 100 other banks globally)

It's important to note that this list is not exhaustive, and the malware may be adapted to target other apps in the future. After Coinbase approves your account, you can link your BitPay app to your Coinbase account. This allows you to buy and sell bitcoin from Coinbase with your BitPay app directly. Below is the process for connecting your Coinbase account to the BitPay app: Step 1: Open the BitPay app. Step 2: Click the gear icon near the bottom right corner ofStaying informed about the latest threats is essential for protecting your financial assets.

How Does the Android Malware Infiltrate Your Device?

Understanding the infection methods is critical for preventing malware from reaching your device in the first place.Here are some common ways this Android malware can infiltrate your phone:

  • Malicious Apps: The malware can be disguised as legitimate apps and distributed through unofficial app stores or third-party download sites.
  • Phishing Attacks: Attackers may use phishing emails or SMS messages (smishing) to trick users into downloading malicious files or clicking on links that lead to infected websites.
  • Compromised Websites: Visiting compromised websites can lead to drive-by downloads, where malware is installed on your device without your knowledge or consent.
  • Software Vulnerabilities: Exploiting vulnerabilities in your Android operating system or installed apps can allow attackers to install malware remotely.

Always be cautious about the apps you download, the links you click, and the websites you visit.Keeping your software up-to-date is also crucial for patching security vulnerabilities.

The Mechanics of the Attack: How the Malware Steals Your Data

comparison for data represents key aspects of this topic.

Let's break down the attack process step-by-step to understand how this Android malware operates and steals your sensitive information:

  1. Infection: The user unknowingly installs the malicious app or clicks on a compromised link, leading to the malware being installed on their device.
  2. Accessibility Service Request: The malware requests access to Android Accessibility Services, often disguised as a necessary function for a system update or security feature.If granted, it gains extensive control over the device.
  3. Overlay Attack: When the user opens a targeted banking or crypto app, the malware displays a fake login screen (overlay) on top of the legitimate app interface.This overlay is served from a remote server controlled by the attackers.
  4. Credential Theft: The user unknowingly enters their username and password into the fake login screen, which is then captured by the malware and sent to the attackers.
  5. Data Auto-Filling: The malware can also automatically fill in other data fields, such as account numbers, security questions, and transaction details, with information stolen from the user or from a remote server.
  6. Account Takeover: With the stolen credentials, the attackers can access the user's banking or crypto accounts and transfer funds or make unauthorized transactions.

The sophisticated nature of these attacks highlights the importance of being vigilant and adopting robust security measures.

Protecting Yourself: How to Defend Against This Android Malware

While the threat is real, there are several steps you can take to protect yourself from this Android malware. Reportedly, Gustuff targets users of at least 32 cryptocurrency apps, including Coinbase and BitPay and it also creates malicious web versions of top U.S. financial institutions like J.P. Morgan, Wells Fargo, Bank of America (BOA) and others.Prevention is always better than cure, so prioritize these security measures:

Essential Security Practices

  • Download Apps from Official Sources Only: Stick to the Google Play Store for downloading apps.Avoid third-party app stores and unofficial download sites, as they often host malicious software.
  • Review App Permissions Carefully: Before installing an app, carefully review the permissions it requests.Be wary of apps that request unnecessary or excessive permissions, especially access to Accessibility Services.
  • Enable Google Play Protect: Google Play Protect is a built-in security feature that scans apps for malware before and after installation.Make sure it's enabled on your device.
  • Keep Your Android Operating System and Apps Up-to-Date: Regularly update your Android operating system and installed apps to patch security vulnerabilities.
  • Use a Strong and Unique Password for Each Account: Avoid using the same password for multiple accounts. A new strain of Trojan malware for Android phones is targeting global users of top crypto apps such as Coinbase, BitPay and Bitcoin Wallet. A new strain of Trojan malware for Android phones is targeting global users of top crypto apps such as Coinbase, BitPay and Bitcoin Wallet, as well as banks including JPMorgan, Wells MoreUse a password manager to generate and store strong, unique passwords.
  • Enable Two-Factor Authentication (2FA): Enable two-factor authentication for all your important accounts, including banking and crypto accounts.This adds an extra layer of security by requiring a second verification code in addition to your password.
  • Be Wary of Phishing Attacks: Be cautious of suspicious emails, SMS messages, and websites that ask for your personal or financial information.Never click on links or download files from untrusted sources.
  • Install a Reputable Mobile Security App: Consider installing a reputable mobile security app from a trusted vendor. The Trojan includes web fakes to target mobile users of banks such as Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase.These apps can help detect and remove malware, as well as provide additional security features like web protection and anti-phishing.

Recognizing Phishing Attempts

Phishing attacks are a common method for distributing malware.Here's what to look out for:

  • Suspicious Sender Addresses: Check the sender's email address carefully. Security researchers at ThreatFabric say Crocodilus, a new and sophisticated strain of malware that targets mobile banking apps and crypto wallets on Android phones. Crocodilus enters the scene not as a simple clone, but as a fully-fledged threat from the outset, equipped with modern techniques such as remote control, black screen overlaysLook for misspellings, unusual domain names, or generic addresses.
  • Poor Grammar and Spelling: Phishing emails often contain grammatical errors and typos.
  • Urgent or Threatening Language: Phishing emails may use urgent or threatening language to pressure you into taking immediate action.
  • Requests for Personal Information: Legitimate organizations will never ask for your sensitive information, such as passwords or credit card numbers, via email.
  • Suspicious Links or Attachments: Be wary of clicking on links or downloading attachments from untrusted sources.

What to Do If You Suspect Your Device Is Infected

scan infected technique
scan infected technique

If you suspect that your Android device has been infected with malware, take immediate action to minimize the damage:

  1. Disconnect from the Internet: Disconnect your device from Wi-Fi and mobile data to prevent the malware from communicating with its command-and-control server.
  2. Run a Malware Scan: Use a reputable mobile security app to scan your device for malware.
  3. Change Your Passwords: Change the passwords for all your important accounts, including banking, crypto, email, and social media.
  4. Enable Two-Factor Authentication: If you haven't already, enable two-factor authentication for all your important accounts.
  5. Contact Your Bank and Crypto Exchanges: Contact your bank and crypto exchanges to report the suspected malware infection and monitor your accounts for any unauthorized activity.
  6. Factory Reset Your Device (as a Last Resort): If you're unable to remove the malware through other means, you may need to perform a factory reset on your device. A new strain of Trojan malware for Android phones is targeting global users of top crypto apps such as Coinbase, BitPay and Bitcoin Wallet. A new strain of Trojan malware for Android phones is targeting global users of top crypto apps such as Coinbase, BitPay and Bitcoin Wallet, as well as banks including JPMorgan, Wells Fargo, and Bank of America.This will erase all data on your device, so be sure to back up any important files beforehand.

The Role of Android Accessibility Services in Malware Attacks

Android Accessibility Services are designed to help users with disabilities interact with their devices. Android Malware Targets Users of 32 Crypto Apps, Including Coinbase, BitPay 20 A new strain of Trojan malware for Android phones is targeting global users of top crypto apps such as Coinbase, BitPay and Bitcoin Wallet, as well as banks including JPMorgan, Wells Fargo, and Bank of America .However, this powerful feature can be abused by malware to gain extensive control over the device and user data. A new strain of Trojan malware for Android phones is targeting global users of top crypto apps such as Coinbase, BitPay and Bitcoin Wallet, as well as banks including JPMorgan, Wells Fargo, and BankHere's how it works:

Once an app has been granted access to Accessibility Services, it can:

  • Read the content of the screen: This allows the malware to see everything that is displayed on the screen, including usernames, passwords, and financial information.
  • Simulate user actions: The malware can simulate taps, swipes, and other user actions, allowing it to interact with apps on your behalf.
  • Modify the content of the screen: The malware can modify the content of the screen, displaying fake login screens or other misleading information.

Because of the powerful capabilities granted by Accessibility Services, it's crucial to be extremely cautious about which apps you grant access to this feature. A new strain of Trojan malware for Android phones is targeting global users of top crypto apps such as Coinbase, BitPay and Bitcoin Wallet, as well as banks including JPMorgan, Wells Fargo, andOnly grant access to apps that you trust and that genuinely require Accessibility Services to function properly.Be very suspicious of apps that request access to Accessibility Services without a clear and justifiable reason.

Gustuff and Crocodilus: Examining the Malware Variants

While the core tactics remain similar, Android malware continues to evolve.Understanding specific variants like ""Gustuff"" and ""Crocodilus"" can provide valuable insights into the threat landscape.It's important to remember that malware is constantly being updated and refined, so staying informed about the latest trends is critical.

Gustuff: A Sophisticated Banking Trojan

Gustuff, as some researchers call it, is a particularly sophisticated banking trojan that targets users of over 100 banks worldwide, as well as 32 cryptocurrency Android apps.It stands out due to its advanced features, including:

  • Automated Data Entry: Gustuff can automatically fill in data fields, even in legitimate apps, making it easier to steal information and initiate fraudulent transactions.
  • Black Screen Overlay: It can display a black screen overlay to hide its activities from the user while it's performing malicious actions.

Crocodilus: A Modern and Fully-Fledged Threat

Reportedly, Crocodilus, also uncovered by ThreatFabric, is also a new strain of malware that targets mobile banking apps and crypto wallets on Android phones, but it is viewed as a ""fully-fledged threat."" This means it enters the threat landscape equipped with all tools necessary to effectively steal user data and access accounts.

Both Gustuff and Crocodilus demonstrate the increasing sophistication of Android malware. 110 subscribers in the thrillerpodcast community. View community ranking In the Top 50% of largest communities on Reddit In the Top 50% of largest communitiesThese threats are not simple clones of previous malware; they are designed with advanced techniques to bypass security measures and steal user data.

Staying Informed: How to Keep Up with the Latest Android Malware Threats

The threat landscape is constantly evolving, so it's essential to stay informed about the latest Android malware threats. Android Malware Targets Users of 32 Crypto Apps, Including Coinbase, BitPay cointelegraph.com, UTC A new strain of Trojan malware for Android phones is targeting global users of top crypto apps such as Coinbase, BitPay and Bitcoin Wallet, as well as banks including JPMorgan, Wells Fargo, and Bank of America .Here are some resources that can help you stay up-to-date:

  • Security Blogs and News Sites: Follow reputable security blogs and news sites, such as BleepingComputer, Threatpost, and KrebsOnSecurity.
  • Security Vendor Websites: Visit the websites of leading security vendors, such as Google, Kaspersky, and Norton, for the latest threat intelligence.
  • Social Media: Follow security experts and organizations on social media platforms like Twitter and LinkedIn.
  • Security Alerts and Advisories: Subscribe to security alerts and advisories from your device manufacturer, security vendors, and government agencies.

Conclusion: Protecting Your Digital Assets in a Risky World

The emergence of Android malware targeting users of crypto apps like Coinbase and BitPay, as well as banking institutions, is a serious threat that demands our attention. A new strain of Trojan malware for Android phones is targeting global users of top crypto apps such as Coinbase, BitPay and Bitcoin Wallet.A new strain of Trojanmalwarefor Android phones is targeting global users of top crypto apps such asCoinbase,BitPayand Bitcoin WallThe sophisticated techniques employed by these malicious programs, including overlay attacks and abuse of Accessibility Services, make them particularly difficult to detect and defend against. Android Malware Targets Users of 32 Crypto Apps, Including Coinbase, BitPay. US SEC Delays Decision on Bitcoin ETF Applications From VanEck and Bitwise. FiHowever, by understanding the threat, adopting essential security practices, and staying informed about the latest trends, you can significantly reduce your risk of becoming a victim.Remember to download apps only from official sources, review app permissions carefully, keep your software up-to-date, use strong passwords and enable two-factor authentication, and be wary of phishing attacks.Your vigilance and proactive security measures are your best defense against these evolving digital threats.In a world where our financial lives are increasingly intertwined with our mobile devices, protecting your digital assets is more critical than ever.Take control of your security and safeguard your financial future.

Juno Wren can be reached at [email protected].

Comments