Crocodilus: The New Sophisticated Android Malware Targeting Cryptocurrency

In the ever-evolving landscape of cybersecurity threats, a new predator has emerged in the mobile space. Cybersecurity researchers have recently discovered a sophisticated Android malware called "Crocodilus" that represents a significant escalation in mobile threat capabilities. This blog post examines what Crocodilus is, who's behind it, when it emerged, where it's targeting users, and how it operates.

What is Crocodilus?

Crocodilus is a new Android banking trojan that has been discovered by cybersecurity researchers, primarily targeting users in Spain and Turkey. Despite being relatively new, this malware is not a simple clone of existing threats but rather debuts as "a fully-fledged threat from the outset, equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging," according to security firm ThreatFabric.

The name "Crocodilus" is derived from developer artifacts referencing "Crocodile" found within its codebase during routine threat hunting operations. What makes this malware particularly dangerous is its comprehensive suite of capabilities, which include device takeover (DTO), remote access trojan (RAT) functionality, and sophisticated social engineering tactics.

Who is Behind Crocodilus?

The origins of Crocodilus appear to point to Turkish developers. Analysis of the source code and debug messages reveals that the malware author is likely Turkish-speaking. Researchers have also found a particular tag, "sybupdate," which potentially links it to the "sybra" threat actor, previously associated with the Ermac fork "MetaDroid" and campaigns involving Hook and Octo malware.

However, attribution remains inconclusive at this stage. The "sybra" connection could indicate that this individual or group might be the developer, distributor, or simply an early adopter of the malware.

When Did Crocodilus Emerge?

Crocodilus appears to have been discovered in March 2025. The malware represents a new entry in the mobile threat landscape but demonstrates a level of sophistication typically associated with more established threats. ThreatFabric's analysis indicates that with its advanced capabilities present from its earliest iterations, Crocodilus "demonstrates a level of maturity uncommon in newly discovered threats."

The emergence of Crocodilus comes during a period of increased banking malware activity, with a 260 percent surge in banking malware attacks observed in 2024, making this new threat part of a troubling trend.

Where is Crocodilus Targeting?

Initially, Crocodilus is actively targeting financial institutions and cryptocurrency platforms, with a current focus on:

1. Banking applications in Spain

2. Banking applications in Turkey

3. Major cryptocurrency wallets across regions

However, security researchers warn that despite being first identified in Spain and Turkey, a rapid global expansion of its reach is predicted. The malware's infrastructure is designed to scale, with dynamic targeting capabilities allowing operators to push updated overlay templates and app target lists via its command and control (C2) server.

How Does Crocodilus Operate?

Crocodilus employs a sophisticated multi-stage infection and operation process:

Initial Infection

The malware uses a proprietary dropper that bypasses Android 13 (and later) security protections, installing the malware without triggering Play Protect while also bypassing Accessibility Service restrictions. The dropper masquerades as legitimate applications, with one variant identified as masquerading as Google Chrome (package name: "quizzical.washbowl.calamity").

Typical infection vectors include:

• Malicious websites

• Fake promotions on social media

• SMS phishing campaigns

• Third-party app stores

Gaining Control

Once installed, Crocodilus requests accessibility service permissions, which hackers exploit to take control. "Once granted, the malware connects to the command-and-control (C2) server to receive instructions, including the list of target applications and the overlays to be used".

By abusing the Accessibility Service, normally reserved for aiding people with disabilities, Crocodilus gains the ability to:

• Access screen content

• Perform navigation gestures

• Monitor app launches

• Log keystrokes and screen interactions

Stealing Credentials and Cryptocurrency

What makes Crocodilus particularly dangerous is its two-pronged approach to stealing sensitive information:

1. Banking Credential Theft: When the victim opens a targeted banking or cryptocurrency app, Crocodilus loads a fake overlay on top of the real app to intercept the victim's account credentials.

2. Cryptocurrency Wallet Theft: One of the most insidious aspects of Crocodilus is its ability to simulate original wallet app screens, prompting the user to disclose critical data such as the seed phrase. It displays a deceptive message: "Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset, and you may lose access to your wallet." This social engineering tactic tricks users into navigating to their seed phrase, which the malware then captures.

Advanced Surveillance Capabilities

Crocodilus features an "Accessibility Logger" that goes beyond traditional keylogging. By hooking into Android's Accessibility API, Crocodilus enumerates and logs all UI elements and events: text inputs, button labels, and dynamic content such as OTP codes from apps like Google Authenticator.

The malware can even trigger a screen capture of the contents of the Google Authenticator application, effectively bypassing two-factor authentication protections.

Remote Control Features

A key distinguishing feature of Crocodilus is its comprehensive Remote Access Trojan (RAT) functionality. The malware's "hidden" mode deploys a full-screen black overlay and mutes device audio to conceal unauthorized operations. This allows attackers to:

• Take complete control of the device remotely

• Initiate transactions without the user's knowledge

• Extract sensitive information

• Bypass security measures

How to Protect Yourself

To protect against Crocodilus and similar threats, consider the following precautions:

1. Only download apps from official sources: Avoid sideloading applications and stick to the Google Play Store.

2. Keep Play Protect active: Ensure that Google's built-in security features are enabled on your device.

3. Be suspicious of permission requests: Be wary of applications requesting Accessibility Service access, especially if they don't have a legitimate need for it.

4. Use security solutions: Install reputable mobile security software that can detect and prevent malware infections.

5. Keep your device updated: Regularly install security patches and updates for your Android device.

6. Use hardware wallets: For cryptocurrency users, consider using hardware wallets rather than mobile wallet applications for your most valuable holdings.

Conclusion

The emergence of Crocodilus represents a significant evolution in mobile malware capabilities. Its sophisticated approach to device takeover, credential theft, and cryptocurrency targeting makes it a formidable threat in the cybersecurity landscape. As this malware continues to evolve and potentially expand its targeting beyond Spain and Turkey, maintaining vigilance and implementing strong security practices will be essential for Android users, particularly those active in cryptocurrency.

Sources

1. The Hacker News - "New Android Trojan Crocodilus Abuses Accessibility to Steal Banking and Crypto Credentials"

2. GB Hackers - "Crocodilus" A New Malware Targeting Android Devices for Full Takeover"

3. Bleeping Computer - "New Crocodilus malware steals Android users' crypto wallet keys"

4. CryptoTVPlus - "The 'Crocodilus' Android malware hijacks devices to steal crypto"

5. Cybersecurity News - "Crocodilus - A New Android Malware Remotely Control Your Android Devices"

6. IBTimes - "Crocodilus: New Android Malware Remotely Controls Devices To Hijack Crypto Wallets"

7. Crypto Breaking News - "Uncover the Threat: How Android Malware 'Crocodilus' Hijacks Phones to Steal Cryptocurrency"

8. Cointelegraph - "Android malware 'Crocodilus' can take over phones to steal crypto"

9. Mobile ID World - "New Crocodilus Android Banking Malware Targets Spain and Turkey with Advanced RAT Capabilities"

10. Cryptonomist - "Crocodilus: the new Android malware that steals crypto wallets and bypasses 2FA, it's a global alert"