2 days Ago
A newly discovered Android malware called Crocodilus is raising concerns about its ability to steal sensitive cryptocurrency wallet credentials through social engineering. Although recently observed targeting users in Spain and Turkey, the malware’s advanced capabilities suggest a broader rollout could follow. Crocodilus is distributed through a proprietary dropper that bypasses Android 13 and later security protections, evading detection from Google’s Play Protect system.
Once installed, it requests access to the Accessibility Service, a feature intended to assist users with disabilities, but which also allows malware to monitor screen content, simulate gestures, and interact with apps. What sets Crocodilus apart is its use of a convincing overlay screen that warns users to back up their wallet key within 12 hours or risk losing access. This prompt is designed to guide victims into navigating to their crypto wallet’s seed phrase , which the malware logs using an Accessibility Logger.
With access to the seed phrase, attackers can seize full control of the wallet. Beyond seed phrase theft, Crocodilus can also load fake overlays on top of banking or crypto apps to intercept credentials. The malware’s bot component supports 23 commands, allowing it to: Enable call forwarding Read and send SMS messages Post push notifications Launch applications Lock the screen Gain device admin privileges Set itself as the default SMS manager Mute or enable sound Activate a black overlay It also includes Remote Access Trojan features, enabling attackers to perform screen taps, swipe gestures, and take screenshots—specifically including Google Authenticator, allowing them to capture one-time passwords used for multi-factor authentication.
While these operations are executed, Crocodilus can activate a black screen overlay and mute the device to hide its activity, making it appear locked or inactive. The method of initial infection is not fully confirmed but is suspected to involve malicious websites, fake promotions on social media or SMS, and third-party app stores. Crocodilus is a warning sign of what’s to come in mobile cybercrime.
It reveals several troubling trends: Advanced evasion tactics: Malware is evolving to bypass even the latest Android protections. Abuse of accessibility features: These features, while essential for some users, are becoming a significant attack vector. Rise of social engineering: Cybercriminals are getting better at manipulating users into compromising themselves.
Targeting of MFA and authentication apps: Even tools designed to secure your accounts are now being undermined. While Crocodilus is sophisticated, everyday users can still take proactive steps to avoid dangerous apps and minimize their risk. Here is how: No legitimate app will ask you to “back it up” via a pop-up.
Write it down offline and store it securely—never enter it unless you are restoring a wallet yourself. Do not install APKs from third-party sites, links in SMS messages, or unknown social media promotions. Stick to the Google Play Store, which is monitored for malicious behavior.
Go to Settings > Security > Google Play Protect to ensure it is enabled. This tool can detect and disable known malware before it causes damage. If an app requests Accessibility Service or Device Admin privileges, be very skeptical.
Check app reviews and the developer’s history before granting such access. Consider installing a trusted security app (e.g.
, Bitdefender or Malwarebytes for real-time protection. Use hardware-based keys or authenticator apps that support biometric access and screen obfuscation. Watch for malware that tries to access apps like Google Authenticator—do not keep them open in the background unnecessarily.
Patches and security updates close vulnerabilities exploited by malware like Crocodilus. Enable automatic updates where possible..
