New Android Malware ‘Crocodilus’ Can Take Over Devices to Drain Crypto Wallets

• ​A new Android malware named Crocodilus has emerged, posing a threat to cryptocurrency users by employing techniques to steal seed phrases. 
• Crocodilus is a fully developed cyber threat, equipped with black screen overlays and advanced data harvesting through Accessibility Logging.

Threat Fabric, a cybersecurity company specializing in fraud prevention, has identified a new strain of mobile malware called Crocodilus, designed to infiltrate Android devices and steal sensitive user data. Unlike basic malware, Crocodilus employs overlay attacks to trick users into divulging their crypto seed phrases, banking credentials, and OTPs. 

Once the malware gains control over a device, it can execute fraudulent transactions while remaining undetected. Threat Fabric’s analysis reveals that Crocodilus is not just another malware variant but a fully developed banking Trojan. 

Exposing Crypto Seed Phrases

One of the most alarming capabilities of Crocodilus is its ability to steal cryptocurrency wallet seed phrases through social engineering. When a victim enters their wallet PIN, the malware displays a fake warning message, stating “Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset, and you may lose access to your wallet.”

This prompt pressures the victim into navigating to their seed phrase settings, unknowingly exposing it to the malware. Using its Accessibility Logger, Crocodilus harvests and transmits the seed phrase to cybercriminals, granting them full control over the wallet. With this critical information in hand, attackers can completely drain the victim’s assets, leaving no possibility of recovery. This effective manipulation tactic makes Crocodilus a particularly severe threat to cryptocurrency holders, as it targets the single most vital security element of any wallet, the seed phrase.

How Crocodilus Operates

Crocodilus is installed using a proprietary dropper, which helps it bypass Android 13+ security restrictions. Once inside a device, Crocodilus immediately requests Accessibility Service permissions, granting it control over system functions. The malware then establishes a connection with its command-and-control (C2) server, which provides a list of targeted banking and cryptocurrency apps along with the overlays used to deceive users.  “It runs continuously, monitoring app launches and displaying overlays to intercept credentials.”Threat Fabric said.

One of its primary attack strategies involves overlay attacks, where it displays fake login screens that are visually identical to legitimate banking and cryptocurrency wallet interfaces. This allows cybercriminals to steal banking credentials, cryptocurrency wallet PINs, private keys, and One-Time Passwords (OTPs) used for multi-factor authentication. Initial campaigns observed by Threat Fabric targeted users in Spain and Turkey, but experts predict global expansion as the malware evolves. 

Crocodilus also functions as a keylogger, but rather than just capturing keystrokes, it operates as an Accessibility Logger, tracking all on-screen activity and capturing UI elements from banking and authentication apps. This enables criminals to bypass MFA protections without needing physical access to the victim’s device. Threat Fabric further highlighted that Crocodilus also mutes the sound on infected devices, ensuring that fraudulent transactions remain completely undetected by the victim. 

Notably, Crocodilus shares similarities with StilachiRAT, a Remote Access Trojan (RAT) recently identified by the Microsoft Response Team. As reported earlier this month by CNF, StilachiRAT also targets cryptocurrency wallet extensions, accessing Windows registry key settings to detect their presence and potentially compromising users’ digital assets, highlighting a growing trend in malware targeting crypto-related infrastructure.