A new, very advanced piece of malware named “Crocodilus” is targeting cryptocurrency-using Android device owners. It robs digital assets by using a host of tricks. Threat Fabric found this malware in March 2025. Launching in April 2025, the initial focus is on users in Spain and Turkey. Crocodilus employs tactics such as overlay attacks, screen recording, and SMS takeover to circumvent security measures and gain control of victims' wallets.
Crocodilus is specifically built to steal digital assets through several different vectors. Once malware is able to infect a device, it instantly tries to gain accessibility service permissions. This tactic is often used by evil apps to get full control over the system. It then shows a fraudulent overlay that mimics real wallet applications, deceiving users into inputting their sensitive information. To make matters worse, the malware additionally encourages users to enter their seed phrase.
Data Exfiltration and Camoflauge
As soon as Crocodilus infects an Android device it starts leaking data back to its command-and-control (C2) server. This frequent pinging back and forth results in huge increases in data usage. This persistent channel can permit attackers to keep an eye on the compromised device, as well as exfiltrate stolen data.
To cover up its bad behavior, Crocodilus tries to use a number of tricks to evade detection. To hide the malicious activity, the malware shows a big black overlay and mutes the device’s sound. These measures are intended to prevent users from noticing any unusual behavior while the malware is actively stealing their information.
Crocodilus has the ability to run up to 45 commands overall showcasing its advanced versatility. This large command set gives it the ability to carry out a variety of harmful actions on the targeted device.
Bypassing Security Measures
Crocodilus focuses on two-factor authentication (2FA) processes. This security feature is meant to provide an additional level of security for online accounts. Two-factor authentication (2FA) is a quick way to up your security. By doing so, it helps to ensure that everyone who seeks access to an online account is indeed who they say they are.
This has allowed the malware to leverage the screen recorder to capture verification codes from apps such as Google Authenticator. It stores those codes and sends them directly to the C2 server. This too reads as a bidding war between the attackers, letting them circumvent 2FA and take over the victim’s accounts.
CrocodilUs allows user to access SMS messages and phone contacts quickly. It can do so by replacing itself as the default SMS app, a technique called SMS takeover. This enables the malware to intercept verification codes sent over SMS, opening yet another door to 2FA circumvention. It can further create or augment text to enable C2 to utilize proprietary applications.
Scare Tactic
First, Crocodilus uses fear mongering to intimidate users into giving these invasive permissions.
Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset, and you may lose access to your wallet.
Malware employs an artificial deadline to instill urgency. It attempts to trick users into clicking and allowing the permissions it requires to carry out its malicious actions.
Tran Quoc Duy
Blockchain Editor
Tran Quoc Duy offers centrist, well-grounded blockchain analysis, focusing on practical risks and utility in cryptocurrency domains. His analytical depth and subtle humor bring a thoughtful, measured voice to staking and mining topics. In his spare time, he enjoys landscape painting and classic science fiction novels.
