New Malware Crocodilus Bypasses Android Security to Steal Crypto
New Android malware Crocodilus bypasses built-in security measures and steals sensitive data through fake interfaces, including bank accounts to crypto wallets.
On this page
Security researchers at ThreatFabric uncovered the Trojan malware during a broader investigation into mobile threats.
Crocodilus is highly sophisticated, using advanced techniques to evade detection, steal confidential information and digital assets, and remotely control infected devices.
The virus stands out for its distinct set of features. It:
- generates fake screens that overlay legitimate apps,
- secretly takes control of the device,
- and gathers data using built-in logging tools.
A key component of its functionality is the use of Accessibility Logger technology, which records all user activity, including password entries and the display of one-time codes.
Related: Crypto Heist 101: How Hackers Steal Millions in Crypto
To trick users, Crocodilus actively uses social engineering. For example, when opening a banking or crypto app, the malware displays a fake warning, claiming the user must back up their wallet key within 12 hours or risk losing access. This tactic pressures users into entering highly sensitive information, which the malware then records and sends to its operators.
Crocodilus is also able to make any remote access “hidden” – displaying a black screen overlay on top of all the activities, effectively hiding the actions performed by the malware. As a part of this “hidden” activity the malware also mutes the sound on the infected device to ensure fraudulent activities remain unnoticed by victim,
said researchers at ThreatFabric.
In addition, the malware can also intercept data from apps that use two-factor authentication, including Google Authenticator. On command, Crocodilus captures screenshots showing one-time passcodes (OTPs), giving attackers immediate access to accounts and financial transactions.
Infection Methods and User Impact
ThreatFabric researchers report that Crocodilus infections most often begin with the installation of seemingly legitimate apps that later download the malware, allowing it to bypass Android’s standard security protections. Once installed, the Trojan malware requests access to Accessibility Services, giving it control over the device and the ability to receive real-time commands from a remote server.
Initial campaigns observed by our Mobile Threat Intelligence team show targets primarily in Spain and Turkey, along with several cryptocurrency wallets. We expect this scope to broaden globally as the malware evolves,
the security experts noted.
Users whose devices fall under the control of Crocodilus face serious risks. Specifically, attackers can:
- carry out unauthorized transactions,
- completely drain bank and crypto accounts,
- and use the infected device to launch additional attacks.
Furthermore, current detection methods often fail to identify threats like this in the early stages.
Experts strongly recommend a comprehensive approach to mobile security. Users should pay close attention to app behavior and carefully review any requests for special permissions. At the same time, companies, including mobile OS developers, should implement multi-layered defense systems to keep pace with evolving threats.
Related: WhiteBIT’s Cybersecurity Tips
The content on The Coinomist is for informational purposes only and should not be interpreted as financial advice. While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, or reliability of any content. Neither we accept liability for any errors or omissions in the information provided or for any financial losses incurred as a result of relying on this information. Actions based on this content are at your own risk. Always do your own research and consult a professional. See our Terms, Privacy Policy, and Disclaimers for more details.
Articles by this author
