Android Users Beware: New Malware Crocodilus Evades Google Play Protect and Steals Crypto with Fake Pop-Ups – Is Your Wallet Safe?

New Android Malware Crocodilus Targets Crypto Wallets with Advanced Social Engineering Tactics

A new Android malware, named Crocodilus, is causing alarm among mobile users, particularly those with cryptocurrency wallets.

Recently uncovered by fraud prevention experts at ThreatFabric, this malicious software is designed to trick users into handing over their sensitive wallet credentials, specifically their seed phrases, through a combination of deceptive overlays and sophisticated social engineering techniques.

Although recently observed targeting users in Spain and Turkey, the malware’s advanced capabilities suggest a broader rollout could follow.

How Crocodilus Exploits Accessibility Features to Bypass Security

Crocodilus operates through a custom dropper that bypasses Android 13 and later’s security measures, avoiding detection from Google’s Play Protect.

Once installed, it requests permissions for the Accessibility Service, a feature designed to aid users with disabilities, but which, in this case, is exploited to monitor screen content and interact with applications.

Source: ThreatFabric

By leveraging these permissions, Crocodilus can perform a range of actions—undetected by the device owner.

The malware’s most insidious feature is a fake warning overlay that prompts users to back up their wallet key within 12 hours, threatening the loss of access to the wallet.

This prompt is designed to lure victims into revealing their seed phrase, which the malware then logs using an accessibility logger.

Source: ThreatFabric

With this critical information, attackers gain complete control over the wallet.

A Growing Threat with Remote Access Capabilities

Crocodilus is more than just a credential-stealing tool.

It also functions as a Remote Access Trojan (RAT), providing cybercriminals with control over the infected device.

Source: Sucuri

The malware can simulate gestures, swipe across the screen, and take screenshots—including those of two-factor authentication apps like Google Authenticator.

This means that, not only can it steal the seed phrase, but it can also bypass multi-factor authentication (MFA), making it a significant threat to both crypto wallets and bank accounts.

Once active, the malware can even mute the device or overlay a black screen to hide its activities from the user.

This makes it nearly impossible for victims to detect any abnormal behaviour while their data is being harvested.

Targeting Users in Spain and Turkey – But A Broader Rollout Is Likely

At present, Crocodilus has primarily been observed targeting users in Spain and Turkey, with evidence suggesting that the malware's creators are focusing on these regions.

The use of Turkish-language debug code indicates a possible origin, but as the malware evolves, its reach is expected to expand.

The exact method of initial infection remains unclear, but experts suggest that users are being tricked into downloading the malware through malicious websites, social media promotions, fake ads, and third-party app stores.

Aleksandar Eremin, head of mobile threat intelligence at ThreatFabric, explained,

“Crocodilus is masquerading as crypto-related apps and involves specific social engineering techniques to make victims reveal the secrets stored inside cryptocurrency wallet applications.”

He went on to emphasise the growing interest of cybercriminals in targeting cryptocurrency users and their wallets.

A Malware-as-a-Service Threat on the Rise

Despite being a newcomer to the world of mobile threats, Crocodilus has quickly shown that it is capable of rivalling established malware-as-a-service offerings in underground cybercrime markets.

Its features, including remote control, data logging, and the ability to bypass MFA apps, make it a highly effective tool in the hands of cybercriminals.

Eremin highlighted that although Crocodilus is a relatively new threat in the mobile malware space, its extensive capabilities could position it as a strong competitor to well-established malware-as-a-service operations on underground markets.

Protecting Yourself from Crocodilus

While Crocodilus is a serious threat, users can still take steps to reduce their risk.

First and foremost, users should never share their cryptocurrency wallet’s seed phrase.

No legitimate app will ever ask for it via a pop-up or notification.

Storing the seed phrase offline in a secure location is crucial.

Source: freepik

Furthermore, users should avoid installing apps from third-party sources, including links in SMS messages or social media ads.

Sticking to the Google Play Store is the safest bet, as it is actively monitored for malicious apps.

Enabling Google Play Protect and regularly updating the Android OS and apps is essential for keeping malware at bay.

Users should also be cautious when granting apps unnecessary permissions, especially when it comes to Accessibility Service or Device Admin privileges.

For added protection, consider installing reputable mobile security apps and using hardware-based two-factor authentication keys.

By staying vigilant and following best practices, users can significantly lower their chances of falling victim to Crocodilus or similar malware.