Catenaa, Friday, April 11, 2025-A newly discovered Android malware, Crocodilus, is raising concerns due to its ability to steal cryptocurrency wallet credentials through social engineering. The malware has been primarily observed in Spain and Turkey, but its sophisticated capabilities suggest a broader rollout may follow.
Crocodilus is delivered through a dropper that bypasses Android 13 and later security protections, evading detection from Google’s Play Protect system. Once installed, it requests access to the Accessibility Service, which is intended to assist users with disabilities but can also be used by malware to monitor screen content and simulate gestures.
One of the malware’s most troubling features is its use of a convincing overlay. It warns users to back up their wallet key within 12 hours, prompting them to reveal their crypto wallet’s seed phrase. The malware then logs this information using an Accessibility Logger, allowing attackers full control over the wallet.
Crocodilus can also overlay fake screens on banking and crypto apps to steal login credentials. Its bot component supports 23 commands, including enabling call forwarding, reading and sending SMS messages, and taking screenshots, particularly targeting Google Authenticator for multi-factor authentication (MFA) codes.
The exact method of infection remains unclear, but it is believed to spread through malicious websites, social media promotions, or third-party app stores.
To protect against Crocodilus, experts recommend users avoid sharing wallet seed phrases, sideloading apps, and enabling Google Play Protect. Additionally, they suggest being cautious with app permissions, using reputable security apps, and regularly updating Android devices.
