- “Crocodilus” Malware targets cryptocurrency wallets on Android devices, tricking users into revealing their seed phrases.
- The malware operates stealthily with remote access capabilities, black screen overlays, and can bypass Android 13+ security protections.
- Currently affecting users in Spain and Turkey, but distribution methods suggest potential for wider spread.
A sophisticated new malware named “Crocodilus” is actively targeting cryptocurrency wallets on Android devices, security researchers revealed this week. The trojan uses deceptive techniques to convince users to surrender their wallet seed phrases, potentially giving attackers complete access to victims’ digital assets.
ThreatFabric, a fraud prevention company, uncovered the threat, which disguises itself as legitimate cryptocurrency applications. The malware specifically targets crypto wallet users through tailored social engineering techniques.
“Crocodilus is masquerading as crypto-related apps and involves specific social engineering techniques to make victims reveal the secrets stored inside cryptocurrency wallet applications,” explained Aleksandar Eremin, head of mobile threat intelligence at ThreatFabric. He noted that this indicates the “specific interest of the actors behind it in targeting users of cryptocurrency wallets.”
The malware’s primary deception involves displaying a fraudulent warning message that creates urgency: “Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset, and you may lose access to your wallet.” This tactic manipulates users into entering their seed phrase, which attackers can then capture.
What makes Crocodilus particularly dangerous is its distribution method. It deploys through a proprietary dropper that can circumvent security protections on Android 13 or later versions. Once installed, the malware requests Accessibility Service permissions, allowing it to bypass restrictions and deploy screen overlays to harvest passwords.
Beyond seed phrase theft, Crocodilus functions as a remote access trojan (RAT), giving operators comprehensive control over the victim’s device. Attackers can navigate the interface, use gesture controls, and capture screenshots—all while employing a black screen overlay that keeps these activities hidden from the device owner. This capability even allows attackers to access two-factor authentication passcodes through applications like Google Authenticator.
Currently, researchers have identified victims primarily in Spain and Turkey. The malware’s debug language appears to be Turkish, suggesting possible geographic origins. However, the varied distribution channels—including malicious websites, social media, fake promotions, text messages and third-party app stores—indicate potential for wider spread.
Android users can protect themselves by exercising caution: only download applications from the official Google Play Store and avoid installing APK files from third-party sources.
Despite being new to the threat landscape, security experts are concerned about Crocodilus’s potential. “Despite being a newcomer to the mobile threat landscape,” Eremin told Decrypt, the malware’s “rich set of capabilities” could position it as a competitor to established malware-as-a-service offerings on underground markets.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Tariff “Liberation Day” Sparks Market Selloff as Gold Hits Record High
- BlackRock CEO Larry Fink Embraces Blockchain Technology While Expressing Caution on Bitcoin’s Impact on US Dollar
- Chainlink Launches Payment Abstraction Feature for SVR Fee Conversion
- MicroStrategy Nears Bitcoin Milestone, Now Holding 2.6% of Supply
- Japanese Hotel Firm Issues $13.3M Bond to Purchase More Bitcoin
