‘Crocodilus’ Malware Steals Crypto by Tricking Android Wallet Users

  • “Crocodilus” Malware targets cryptocurrency wallets on Android devices, tricking users into revealing their seed phrases.
  • The malware operates stealthily with remote access capabilities, black screen overlays, and can bypass Android 13+ security protections.
  • Currently affecting users in Spain and Turkey, but distribution methods suggest potential for wider spread.

A sophisticated new malware named “Crocodilus” is actively targeting cryptocurrency wallets on Android devices, security researchers revealed this week. The trojan uses deceptive techniques to convince users to surrender their wallet seed phrases, potentially giving attackers complete access to victims’ digital assets.

- Advertisement -

ThreatFabric, a fraud prevention company, uncovered the threat, which disguises itself as legitimate cryptocurrency applications. The malware specifically targets crypto wallet users through tailored social engineering techniques.

“Crocodilus is masquerading as crypto-related apps and involves specific social engineering techniques to make victims reveal the secrets stored inside cryptocurrency wallet applications,” explained Aleksandar Eremin, head of mobile threat intelligence at ThreatFabric. He noted that this indicates the “specific interest of the actors behind it in targeting users of cryptocurrency wallets.”

The malware’s primary deception involves displaying a fraudulent warning message that creates urgency: “Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset, and you may lose access to your wallet.” This tactic manipulates users into entering their seed phrase, which attackers can then capture.

What makes Crocodilus particularly dangerous is its distribution method. It deploys through a proprietary dropper that can circumvent security protections on Android 13 or later versions. Once installed, the malware requests Accessibility Service permissions, allowing it to bypass restrictions and deploy screen overlays to harvest passwords.

Beyond seed phrase theft, Crocodilus functions as a remote access trojan (RAT), giving operators comprehensive control over the victim’s device. Attackers can navigate the interface, use gesture controls, and capture screenshots—all while employing a black screen overlay that keeps these activities hidden from the device owner. This capability even allows attackers to access two-factor authentication passcodes through applications like Google Authenticator.

Currently, researchers have identified victims primarily in Spain and Turkey. The malware’s debug language appears to be Turkish, suggesting possible geographic origins. However, the varied distribution channels—including malicious websites, social media, fake promotions, text messages and third-party app stores—indicate potential for wider spread.

- Advertisement -

Android users can protect themselves by exercising caution: only download applications from the official Google Play Store and avoid installing APK files from third-party sources.

Despite being new to the threat landscape, security experts are concerned about Crocodilus’s potential. “Despite being a newcomer to the mobile threat landscape,” Eremin told Decrypt, the malware’s “rich set of capabilities” could position it as a competitor to established malware-as-a-service offerings on underground markets.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -

Latest News

Opyl Turns to Bitcoin Treasury as Cash Crisis Deepens

Opyl Limited, an Australian biotech company, bought around 2 Bitcoin as part of a...

Theta Network Launches EdgeCloud Beta, Unveils Hybrid GPU Platform

THETA Network is launching the beta version of EdgeCloud’s hybrid edge-cloud computing platform on...

Australian Police Crack Down on Crypto ATM Scams, Contact 90 Users

Australian police contacted over 90 people linked to suspected criminal use of crypto ATMs.Victims...

Colorado Pastor Faces Judgment Over “Divine Wealth” Crypto Scam

A Colorado pastor and his wife are facing civil allegations of securities fraud for...

Theta EdgeCloud Hybrid Beta Launches, Ushering in Decentralized AI

THETA Network will launch its Theta EdgeCloud Hybrid Beta on June 25, 2025. Theta EdgeCloud...

Must Read

Top Best Metaverse Worlds To Buy Land

The metaverse has grown in our everyday conversation since Facebook announced its rebranding in October 2021 to META. The metaverse is a virtual world,...