Cybersecurity experts warn about the emergence of a new powerful mobile banking malware called Crocodilus, which targets Android devices, stealing sensitive crypto wallet credentials using social engineering tactics.

How Does Crocodilus Work?

Research by Threat Fabric has revealed that Crocodilus is distributed through a specialized dropper that bypasses Android 13+ restrictions.

“Despite being new, it already possesses all the key features of modern banking malware: overlay attacks, keylogging, remote access, and hidden device control capabilities,” analysts noted.

Similar malware targeting cryptocurrency wallets is not new. For example, in October 2024, the FBI warned about SpyAgent, a malicious program linked to North Korean hackers.

However, what makes Crocodilus different is its more aggressive device takeover and advanced credential theft techniques.

How Does the Malware Attack Crypto Wallets?

After being installed via a malicious application, Crocodilus requests permission to access “Accessibility Service”, allowing it to:

• Intercept user input;
• Overlay fake interfaces to mask legitimate banking and crypto wallet apps;
• Remotely control the device.

Once activated, the malware connects to a command-and-control (C2) server, receiving instructions and downloading interface overlays for attacks.

Currently, Crocodilus has been detected in Spain and Turkey, but Threat Fabric experts predict that it will soon spread globally.

How Does Crocodilus Bypass Two-Factor Authentication?

One of the most dangerous aspects of Crocodilus is its ability to bypass two-factor authentication (2FA).

To achieve this, it uses a Remote Access Trojan (RAT) command that activates screen capture at the moment a code is generated in Google Authenticator. This allows Crocodilus to steal the temporary authentication code and send it to hackers.

How the Malware Tricks Victims into Revealing Seed Phrases

Unlike many other Trojans, Crocodilus employs a unique social engineering tactic.

A message appears on the victim’s screen, urging them to back up their wallet keys within 12 hours. If they fail to do so, they are warned that the app will reset, potentially locking them out of their wallet.

Unaware of the scam, the user navigates to the wallet settings to copy their seed phrase. At this moment, Crocodilus intercepts and extracts the text using its Accessibility Logger and sends the information to attackers.

“With the stolen seed phrase, hackers can gain full control of the wallet and drain all funds,” Threat Fabric analysts explained.

How to Protect Yourself from Crocodilus?

To avoid falling victim to this malware, follow these security tips:
– Do not install apps from unknown sources – download software only from the official Google Play Store.
– Limit app permissions – do not grant unnecessary access to “Accessibility Service.”
– Use hardware wallets – storing cryptocurrency in a cold wallet reduces risks.
– Disable screen capture permissions – this makes stealing 2FA codes more difficult.
– Be cautious of suspicious notifications – do not follow urgent instructions related to your crypto wallet.

Crocodilus is a new threat to Android users, but taking the right security measures can help protect your crypto assets.