New Crocodilus malware steals Android users’ crypto wallet keys

March 30, 2025

Crocodile

A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access.

Although Crocodilus is a new banking malware, it features fully developed capabilities to take control of the device, harvest data, and remote control.

Researchers at fraud prevention company ThreatFabric say that the malware is distributed via a proprietary dropper that bypasses Android 13 (and later) security protections.

The dropper installs the malware without triggering Play Protect while also bypassing Accessibility Service restrictions.

What makes Crocodilus special is that it integrates social engineering to make victims provide access to their crypto-wallet seed phrase.

It achieves this through a screen overlay warning users to “back up their wallet key in the settings within 12 hours” or risk losing access to their wallet.

**Bogus message served to cryptocurrency holders***Source: ThreatFabric*

“This social engineering trick guides the victim to navigate to their seed phrase (wallet key), allowing Crocodilus to harvest the text using its Accessibility Logger,” ThreatFabric explains.

“With this information, attackers can seize full control of the wallet and drain it completely,” the researchers say.

In its first operations, Crocodilus was observed targeting users in Turkey and Spain, including bank accounts from those two countries. Judging from the debug messages, it appears that the malware is of Turkish origin.

It is unclear how the initial infection occurs, but typically, victims are tricked into downloading droppers through malicious sites, fake promotions on social media or SMS, and third-party app stores.

When launched, Crocodilus gains access to Accessibility Service, normally reserved for aiding people with disabilities, to unlock access to screen content, perform navigation gestures, and monitor for app launches.

**Requesting Accessibility Service permission***Source: ThreatFabric*

When the victim opens a targeted banking or cryptocurrency app, Crocodilus loads a fake overlay on top of the real app to intercept the victim’s account credentials.

The bot component of the malware supports a set of 23 commands that it can execute on the device, including:

Enable call forwarding
Launch a specific application
Post a push notification
Send SMS to all contacts or a specified number
Get SMS messages
Request Device Admin privileges
Enable a black overlay
Enable/disable sound
Lock screen
Make itself the default SMS manager

The malware also offers remote access trojan (RAT) functionality, which enables its operators to tap on the screen, navigate the user interface, perform swipe gestures, and more.

There’s also a dedicated RAT command to take a screenshot of the Google Authenticator application and capture one-time password codes used for two-factor authentication account protection.

While executing these actions, Crocodilus operators can activate a black screen overlay and mute the device to hide the activity from the victim and make it appear as if the device is locked.

Although Crocodilus appears to have a specific targeting limited to Spain and Turkey right now, the malware could expand operations soon, adding more apps to its target list.

Android users are advised to avoid downloading APKs from outside Google Play and to ensure that Play Protect is always active on their devices.