Crocodilus malware targets crypto users

Bitget App

Trade smarter

Grafa2025/03/31 06:30

By:Liezl Gambe

A newly identified Android malware called Crocodilus has emerged, capable of hijacking devices to steal cryptocurrency through fake app overlays and accessibility exploits.

Cybersecurity firm Threat Fabric detailed the threat in a March 28 report, noting its sophisticated features and global targeting potential.

Crocodilus operates by deploying deceptive overlays when users open banking or crypto apps, displaying urgent warnings to “back up your wallet key” within 12 hours.

These prompts trick victims into exposing seed phrases, which hackers use to drain wallets.

“Once a victim provides a password from the application, the overlay will display a message: Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset, and you may lose access to your wallet. This social engineering trick guides the victim to navigate to their seed phrase wallet key, allowing Crocodilus to harvest the text using its accessibility logger,” Threat Fabric explained.

The malware bypasses Android 13 security measures by embedding itself in compromised software.

Upon installation, it requests accessibility permissions, enabling remote device control.

Threat Fabric observed that Crocodilus connects to command-and-control servers to receive instructions, including lists of target apps and overlay templates.

Once activated, the malware mutes device sounds and launches fake interfaces over legitimate apps, intercepting credentials and sensitive data.

Stolen information allows hackers to execute fraudulent transactions undetected.

Threat Fabric identified initial targeting in Turkey and Spain, though analysts warn the scope may expand.

Code annotations suggest Turkish-speaking developers, with possible ties to threat actors like Sybra.

“The emergence of the Crocodilus mobile banking Trojan marks a significant escalation in the sophistication and threat level posed by modern malware… With its advanced Device-Takeover capabilities, remote control features, and the deployment of black overlay attacks from its earliest iterations, Crocodilus demonstrates a level of maturity uncommon in newly discovered threats,” the firm emphasised, highlighting its advanced capabilities.

The discovery highlights growing risks in mobile crypto security, particularly for users relying on Android devices.

While no confirmed cases of widespread attacks have been reported, the malware’s design signals a dangerous trend in targeted financial fraud.

Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.

PoolX: Locked for new tokens.

APR up to 10%. Always on, always get airdrop.

Lock now!