Crocodilus malware hunts Android users, draining crypto wallets

Once installed, Crocodilus exploits Android’s Accessibility Service, originally designed for users with disabilities, to monitor screen content, manipulate navigation, detect app launches, and overlay fake login screens on banking and cryptocurrency apps to steal user credentials

A newly identified Android malware, dubbed Crocodilus Malware, is targeting cryptocurrency users by tricking them into revealing their seed phrases. Security researchers warn that this sophisticated banking malware can seize control of infected devices, steal sensitive data, and execute remote commands.

According to fraud prevention firm ThreatFabric, the Crocodilus Android attack employs a deceptive technique to compromise users’ cryptocurrency wallets. It displays a fraudulent warning urging users to back up their wallet key within 12 hours to prevent losing access. Once the victim navigates to their seed phrase, the malware’s Accessibility Logger captures the information, granting attackers full control over the wallet.

Unlike conventional banking malware, Crocodilus integrates powerful features that allow it to take complete control of a device. Researchers report that it is distributed via a proprietary dropper designed to bypass Android 13 and later security protections. The dropper installs the malware while evading detection by Play Protect and overcoming restrictions on Accessibility Service access.

Stealth malware hijacks Android access

Once installed, Crocodilus exploits Android’s Accessibility Service—originally intended for users with disabilities—to monitor on-screen content, manipulate navigation gestures, and detect app launches. This allows it to superimpose fake login overlays on banking and cryptocurrency apps, harvesting users' credentials without their knowledge.

Initial observations indicate that Crocodilus has been targeting users in Turkey and Spain, with affected banking institutions in both countries. Debugging messages within the malware suggest it may originate from Turkey, though its reach is expected to expand.

The exact method of infection remains unclear, but researchers suspect that victims are lured into downloading malicious apps on Android through fake promotions, fraudulent websites, social media scams, SMS phishing (smishing), and third-party app stores.

Malware gains full device control

Beyond credential theft, Crocodilus Android Exploit enables attackers to intercept SMS messages, forward calls, send messages to contacts, request Device Admin privileges, modify system settings, and lock screens. The malware can also manipulate the user interface remotely, performing tap and swipe gestures to execute commands. Additionally, it can capture screenshots, including those from Google Authenticator, to steal two-factor authentication (2FA) codes, further compromising user security.

With its remote access trojan (RAT) capabilities, Crocodilus allows cybercriminals to interact with infected devices as if they had physical access. The level of control it provides makes it a significant threat to cryptocurrency users and banking customers alike.

Stay vigilant against malware threats

Security experts advise Android users to remain vigilant and avoid downloading apps from unverified sources. Enabling Google Play Protect, scrutinizing app permissions, and being wary of unexpected security prompts are crucial steps in mitigating the risk. Additionally, users should enable hardware-based security keys or app-based multi-factor authentication (MFA) instead of SMS-based 2FA to enhance protection.

As Crocodilus continues to evolve, cybersecurity researchers are closely monitoring its activities. Users are urged to stay informed and adopt best practices to safeguard their digital assets from emerging threats.