New Android Malware ‘Crocodilus’ Hijacks Phones to Steal Crypto

Key Points

• Fake overlays trick users into giving seed phrases
• Malware takes full control using Android accessibility tools
• Targets crypto and banking apps with remote access
•  Active attacks already found in Turkey and Spain

A dangerous new Android malware named Crocodilus is making waves in the cybersecurity world—especially among crypto users.

Discovered by cybersecurity firm Threat Fabric, this newly identified mobile malware is designed to steal sensitive data and hijack user devices. And its main targets? Crypto wallets and banking apps.

The malware uses fake screen overlays to trick users into revealing their seed phrases—critical keys to accessing and controlling cryptocurrency wallets. Once it gets the seed phrase, Crocodilus silently takes over the device, drains wallets, and leaves victims with zero balance.

🚨 New Android threat spotted: Crocodilus malware is targeting users in Spain and Turkey, posing as Google Chrome to hijack phones.

• Bypasses Android 13+ protections
• Abuses Accessibility to steal credentials
• Records screen & key actions
• Remotely controls the device
•… pic.twitter.com/hfx3rXx7Sa

— The Hacker News (@TheHackersNews) March 29, 2025

How Crocodilus Slips Past Android Security

Crocodilus doesn’t just appear out of nowhere. It often gets onto devices through infected third-party apps or software that bypass Android 13’s built-in security features.

After being installed, the malware asks the user to enable Accessibility Services—a legitimate Android function often used for assistive tools, but also one of the most abused features in malware attacks.

Once this permission is granted, the malware connects to a command-and-control (C2) server, which gives it real-time instructions. From there, it identifies which banking and crypto apps are installed on the device and prepares to intercept any credentials entered.

🚨 New Threat For Android Devices: ‘Crocodilus’ Targets Crypto Wallets 🚨

‘Initial campaigns observed by our Mobile Threat Intelligence team show targets primarily in Spain and Turkey, along with several cryptocurrency wallets. We expect this scope to broaden globally as the… pic.twitter.com/qV7m2G3MTx

— CR1337 (@cryptonator1337) March 29, 2025

Here’s where it gets even more concerning:

• When a user opens a targeted app, Crocodilus launches a fake overlay screen that looks identical to the real app.

• It mutes the device sound, so users don’t hear unusual activity happening in the background.

• It then logs sensitive text, including seed phrases, using an accessibility logger.

• A fake warning message is shown: “Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset, and you may lose access to your wallet.”

This is social engineering at its finest. It manipulates the user into willingly handing over their wallet keys.

Once the attacker has the seed phrase, they can:

• Gain full control of the crypto wallet
• Remotely access the phone
•  Perform fraudulent transactions without detection

Why Crocodilus Is More Dangerous Than Most Android Malware

Though recently discovered, Crocodilus already shows features more advanced than most typical malware. According to Threat Fabric:

A new mobile banking Trojan has emerged—#Crocodilus. Discovered during regular threat hunting, it’s already showing capabilities that rival top malware families, including device takeover and advanced credential theft.https://t.co/RlyfFxUYHe#BankingTrojan #ThreatFabric pic.twitter.com/47zPbPfFad

— ThreatFabric (@ThreatFabric) March 28, 2025

Among its capabilities:

• Advanced data harvesting via screen captures and overlay attacks

• Persistent remote control that allows threat actors to navigate the device like the user

• Stealth operation, making it extremely difficult to detect

The malware was likely developed by hackers who speak Turkish, based on notes in the source code. While initial attacks were found in Turkey and Spain, experts believe the campaign could expand worldwide.

This type of remote takeover isn’t just dangerous for individual users—it signals a new evolution in mobile cybercrime.

We’ve already seen security breaches affect major players, like the Binance and Gemini data leak, where user data was exposed. With malware like Crocodilus now operating in the wild, it’s clear that mobile crypto users are becoming an increasingly high-value target.

What You Can Do to Stay Protected

If you use crypto wallets or banking apps on Android, it’s time to take extra precautions. Here are simple steps you can follow:

• Avoid downloading apps from unofficial sources

• Never enable accessibility permissions unless you absolutely trust the app

• Check your device permissions regularly for any unknown access

• Use security tools or anti-malware apps to monitor suspicious activity

• Stay updated on crypto-related hacks and threats

In fact, recent crypto security events like the Sir trading hack that wiped out $355K show how quickly bad actors can exploit new vulnerabilities.

Governments are starting to take notice, too. California’s bold Bitcoin rights bill could shape digital rights for millions, aiming to protect users from such malicious attacks.

As we look ahead to Ethereum’s potential rise with its 2025 comeback plan, and political shifts like Bukele and Trump embracing Bitcoin, the stakes are getting higher. With adoption rising, so does the risk.

Cybercriminals know the value of your wallet. Make sure you do too.