Crocodilus Malware Steals Crypto Wallet Info on Android

Cybersecurity researchers have recently identified a new, “highly capable” mobile banking malware named Crocodilus that targets Android devices and uses social engineering to get users to give away their sensitive crypto wallet credentials. The well-known cybersecurity firm Threat Fabric discovered this malware in their recent research.

Threat Fabric analysts noted that even though it’s new, it has almost all the features that modern banking malware needs, such as overlay attacks, keylogging, remote access, and a hidden’ remote control. But this is not the first time hackers have designed such sophisticated Android malware to steal cryptocurrency private keys.

In October 2024, the FBI issued a warning about a similar malware known as SpyAgent, which they linked to North Korean hackers.

However, Threat Fabric posted on X that what is different in this new mobile banking Trojan, Crocodilus, is “device takeover and advanced credential theft.” Further supporting this, their research confirmed that this malware spreads through a proprietary dropper that can bypass Android 13+ restrictions.

Crocodilus Uses Fake Screens To Target Banks And Crypto Accounts

“Crocodilus malware operates on a modus operandi akin to contemporary device takeover banking Trojans, as analysts pointed out.” They also said that after being installed by a proprietary dropper, the malware asks for the “Accessibility Service” to be turned on.

It connects to the command-and-control (C2) server for instructions such as overlays and other tools to steal credentials. During its early stages, the Mobile Threat Intelligence team identified the threat in Spain and Turkey, targeting several crypto wallets.

As the malware adapts to different targets, the team said, “We expect this pattern to grow around the world as the malware evolves.”

Furthermore, the malware gets around two-factor authentication (2FA) by using a RAT command that triggers a screen capture of the content on the Google Authenticator app’s screen. Crocodilus takes a picture of the code that shows up on the Google Authenticator app screen and sends it to the C2.

Malware Coaxes Users Into Giving Away Sensitive Data

Unlike other Trojans, Crocodilus overlays the targeted crypto wallet and asks victims to back up their wallet keys. “It says, ‘Go to settings and back up your wallet key within 12 hours. The text at the top of the screen warns you that if you don’t, the app will reset and you could lose your wallet.

This hack uses social engineering to guide victims to their seed phrase. In turn, this lets Crocodilus use its Accessibility Logger to get the text. With this kind of information, attackers can seize full control of the wallet and drain it completely,” Threat Fabric analysts said.

Now, Crocodilus can become a serious threat to Android users, especially for those who hold or are involved with crypto. It uses several advanced tactics. Therefore, it is important to always double-check any app before granting Accessibility Service permission and never share your seed phrase. If something feels strange, it’s better to stay away from it or use it only after fully understanding it. Lastly, keeping apps updated can also help protect against such threats.