cryptocurrency widget, price, heatmap
arrow
Burger icon
cryptocurrency widget, price, heatmap
News/New Android Malware ‘Crocodilus’ Targets Crypto Wallets

New Android Malware ‘Crocodilus’ Targets Crypto Wallets

Van Thanh Le

Mar 31 2025

yesterday2 minutes read
Robot dodges crypto overlays on Android screens [crypto wallet]

Advanced Trojan Exploits Accessibility to Steal Keys and Bypass 2FA

A newly uncovered Android malware dubbed Crocodilus is making waves in the cybersecurity world for its highly advanced capabilities in targeting cryptocurrency wallets and banking apps. Initially detected in Spain and Turkey, the threat has been observed employing sophisticated social engineering tactics and remote access functions to seize control of user devices, according to research from cybersecurity firm Threat Fabric.

tweet_1905594702671274428_20250401_032103_via_10015_io_11zon.jpg

Crocodilus is distributed via a proprietary dropper capable of bypassing Android 13 and higher restrictions, a notable advancement that allows it to avoid the tightened security measures of modern Android operating systems. Once installed, the malware immediately prompts the user to enable the “Accessibility Service,” granting it broad control over the device’s interface and inputs. This feature allows it to display overlays, log keystrokes, and initiate covert remote sessions—enabling full device takeover.

Analysts describe Crocodilus as a fully equipped modern banking Trojan. Its toolkit includes overlay attacks designed to mimic legitimate apps, a keylogging function to capture typed data, and screen control mechanisms that operate without the user’s knowledge. The malware connects to a command-and-control server, which instructs it on which overlays to deploy, typically imitating login interfaces of banking apps and crypto wallets to harvest sensitive credentials.

Unlike traditional malware that passively collects information, Crocodilus takes a more manipulative approach by instructing victims to perform actions that compromise their own security. Through fake overlay messages, the malware tells users they must back up their wallet keys within a limited time frame or risk losing access. This message pushes users to navigate to their wallet’s seed phrase, which the malware then captures using its Accessibility Logger feature. With the seed phrase in hand, attackers gain the ability to fully drain the affected wallet.

Threat Fabric’s analysis points to another critical capability: bypassing two-factor authentication. Crocodilus achieves this by issuing a remote access Trojan (RAT) command to capture the contents of the Google Authenticator app. By taking a screenshot of the 2FA code at the moment it appears, the malware forwards the information to the command-and-control server, rendering one-time passcodes ineffective as a security barrier.

While previous Android malware strains like SpyAgent—attributed to North Korean threat actors—have targeted crypto users in the past, Crocodilus stands out due to its aggressive strategy of full device manipulation and guided credential theft. Researchers expect its operations to expand well beyond its current scope as the malware evolves and its infrastructure scales.

This article has been refined and enhanced by ChatGPT.

cryptocurrency widget, price, heatmap
v 5.8.23
© 2017 - 2025 COIN360.com. All Rights Reserved.