Crocodilus: the new Android malware that steals crypto wallets and bypasses 2FA, it’s a global alert

A new malware called Crocodilus targets Android devices with the aim of stealing private keys, sensitive credentials, and two-factor authentication (2FA) codes from cryptocurrency wallets. Initially discovered in Spain and Turkey, Crocodilus uses highly sophisticated techniques of social engineering, remote control, and overlay phishing to take full control of the victim’s device. The threat is considered rapidly evolving and with the potential for global spread.

Let’s examine in detail the technical characteristics of Crocodilus, its operation, and the countermeasures to adopt.

What is the Crocodilus malware

Crocodilus belongs to the category of Android banking trojans and has been identified by the Threat Fabric team as a modular and advanced mobile threat. Despite being a relatively recent variant, it already exhibits typical characteristics of new-generation mobile malware:

• Overlay attacks
• Keyboard logging
• Remote access and device control
• Escamotage for the evasion of advanced Android defenses

The malware behaves like a classic Device Takeover Trojan, requiring the activation of the accessibility service at the time of installation, which provides it with full access to the screen, the virtual keyboard, and the ability to simulate touches or input.

Techniques of attack employed

The operational methods of Crocodilus are based on a lethal combination of social engineering and exploitation of the permissions required to operate.

Main features of the malware:

• Full access to the device through abuse of the accessibility service
• Phishing technique via overlay to capture sensitive data
• Advanced keylogger with input recording capabilities even in secure apps
• Invisible screenshots to the user to steal codes from 2FA apps
• Communication with C2 server for transmission of stolen data
• Active evasion of protections in Android 13+ systems

Dissemination and Purpose

The malware was first identified in Spain and Turkey, but researchers predict a rapid global expansion of its reach. The main goal of Crocodilus is the systematic theft of cryptocurrencies, particularly from the main crypto apps installed on Android.

Among the identified targets:

• Crypto wallets (Trust Wallet, MetaMask, Exodus)
• Banking and investment apps
• Two-factor authentication app (Google Authenticator, Authy, etc.)

Mechanism of 2FA theft and seed phrase

One of the most insidious aspects of Crocodilus is its ability to simulate original wallet app screens, prompting the user to disclose critical data such as the seed phrase. This occurs through fake messages displayed in overlay, for example:

“Back up the key of your wallet in the settings within 12 hours. Otherwise, the app will be reset.”

This strategy pushes the user to access their seed phrase, which is captured thanks to the screen recording function of the malware combined with the keylogger.

In parallel, Crocodilus is capable of capturing screenshots of temporary authentication apps, thus bypassing the protection provided by 2FA codes. Once in possession of the private key and temporary code, the attackers gain full access to the compromised wallet.

Differences compared to other mobile threats

Similar threats have also been reported in the past. The FBI, for example, in October 2024 issued a warning for the malware SpyAgent, attributed to North Korean APT groups. However, Crocodilus presents a higher level of sophistication, especially for:

• The ability to dynamically interact with the user interface
• The synergistic use of overlay and accessibility
• A modular infrastructure regularly updated

All these characteristics make it a malware that is difficult to detect by traditional mobile antivirus tools.

How to protect oneself

To counter the effectiveness of Crocodilus, it is essential to adopt accurate preventive measures, both as users and as developers of financial applications.

Tips for Android users:

• Avoid downloading apps from unofficial stores or links
• Refuse suspicious requests for activation of the accessibility service
• Keep Android and the installed apps updated
• Install reliable antivirus applications
• Activate two-step verification only through programs that support biometric protection
• Avoid saving or publicly displaying your seed phrase

Signals that could indicate an infection:

• Appearance of unknown screens or fake popups
• Sudden change in behavior of already installed apps
• Slowdowns and anomalous behavior of the phone
• Apps that request overly invasive permissions without reason

Guidelines for developers:

• Limit the use of non-essential overlays in sensitive apps
• Add active accessibility detection on crypto app to notify the user
• Strengthen protection against screen recording and screenshots on critical windows
• Monitor anomalous patterns through server-side integrated antifraud systems

Useful references:

• Threat Fabric – Mobile Threat Report 2024
• FBI warning on SpyAgent (October 2024)
• Google documentation on Accessibility and Android 13+
• CVE record – consult known vulnerabilities related to the apps in use

Conclusion

Crocodilus represents a new standard in mobile threat for Android, with high destructive potential in the world of crypto. Its mode of operation, which skillfully blends psychological deception techniques with dynamic interaction on the infected device, makes it particularly difficult to intercept.

A proactive approach in defenses – combined with greater awareness on the part of users – can make the difference between protecting one’s digital capital and an irreversible breach.