# New malware targets Android users to steal electronic information and wallets

## **Overview**

Recently, a new malware called **Crocodilus** was discovered, targeting Android users to steal login credentials and cryptocurrency wallet keys. This software uses advanced techniques like remote device control, black screen overlay, and data collection through Android's Accessibility Service. Initial campaigns show targets mainly in Spain and Turkey, along with several cryptocurrency wallets.

One of Crocodilus's phishing tactics is displaying a fake notification asking users to back up their wallet keys within 12 hours to avoid losing access. When users follow the instructions and display the seed phrase, the malware records this information and sends it to the attacker's server, allowing them full control over the victim's cryptocurrency wallet.

![Bogus message served to cryptocurrency holders](https://www.bleepstatic.com/images/news/u/1220909/2025/March/crypto.jpg align="center")

## **Scope of Impact**

The Crocodilus malware targets devices running the Android operating system, including Android 13 and newer versions.

## **Campaign Details**

Although this malware is new, it includes all the necessary features of modern banking malware: overlay attacks, keylogging, remote access, and remote control capabilities.

The initial installation is done through a method that bypasses the exclusive Android 13+ restrictions. Once installed, Crocodilus requests access to the Accessibility Service. When granted, this malware can:

* **Monitor user activity**
    
* **Collect sensitive data**
    
* **Perform actions without user consent**
    

![Slide2-2](https://www.threatfabric.com/hubfs/Slide2-2.jpeg align="center")

Once granted, the malware connects to the command and control (C2) server to receive instructions, including a list of applications to be used. It runs continuously, monitoring app launches and displaying overlays to block login information.

![Slide3-2](https://www.threatfabric.com/hubfs/Slide3-2.jpeg align="center")

Once inside the system, **Crocodilus** will perform an **Overlay Attack**.

* Crocodilus creates fake overlays on legitimate apps, such as cryptocurrency wallet apps. When users enter their login information, the malware collects and sends this data to the attacker's server.
    
* After stealing the wallet PIN through the overlay, **Crocodilus** displays a fake alert asking users to back up their seed phrase within 12 hours to avoid losing access. When users follow the instructions and display the seed phrase, the malware records this information using screen monitoring tools and sends it to the attacker.
    

In addition, **Crocodilus** can remotely control the device, allowing the attacker to perform actions such as:

* **Conduct unauthorized transactions**
    
* **Access and steal other sensitive data**
    
* **Hide activity by displaying a black screen and muting the device**
    

According to analysts, the bot component of the malware supports a set of 23 commands that it can execute on the device, including:

* Enable call forwarding
    
* Launch a specific app
    
* Post push notifications
    
* Send SMS to all contacts or a specified number
    
* Receive SMS messages
    
* Request device administrator privileges
    
* Enable black overlay
    
* Turn sound on/off
    
* Lock the screen
    
* Set itself as the default SMS app
    

In **Crocodilus**, attackers have used malicious code related to **Accessibility Services** on Android for various harmful purposes:

* Interact with Android permissions
    
* Control the device remotely
    
* Abuse system access rights
    
* Target the Chrome browser
    
* Encrypt data or download external malware
    
* Block or disable alerts
    

![device_tag](https://www.threatfabric.com/hubfs/device_tag.png align="center")

![debug_mesages](https://www.threatfabric.com/hubfs/debug_mesages.png align="center")

## **Recommendations**

**Only download apps from trusted sources**

* **Do not install APKs from outside** or from unknown sources.
    
* **Check reviews** and download numbers before installing apps from the Google Play Store.
    

**Check app permissions**

* If an app requests **Accessibility Services**, **Device Administrator**, or **SMS Permissions** without a clear reason → **DO NOT GRANT PERMISSION!**
    
* You can check access permissions by going to:  
    **Settings &gt; Apps &gt; \[App Name\] &gt; Permissions**
    

**Enable Google Play Protect**

* Google Play Protect helps scan for harmful apps on your device.
    
* Enable it by going to **Google Play Store &gt; Profile &gt; Play Protect &gt; Enable app scanning**.
    

**Use security software**

* Install security software like **Malwarebytes, Bitdefender, Kaspersky, or Norton** to protect your device.
    

**Keep Android and apps updated**

* Update your **operating system** and **apps** to receive the latest security patches.
    

## **Conclusion**

Crocodilus is a dangerous malware capable of **stealing financial data and controlling devices remotely**. Android users need to **be cautious when installing apps**, **enable security features**, and **regularly check their devices** to avoid attacks. If signs of malware infection are detected, take immediate action to protect your accounts and personal data.

## **IOC**

**Hash:**

* c5e3edafdfda1ca0f0554802bbe32a8b09e8cc48161ed275b8fec6d74208171f
    

**C2:**

* register-buzzy\[.\]store
    

## **Reference**

1. [Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices](https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices?utm_source=chatgpt.com)
    
2. [New Crocodilus malware steals Android users’ crypto wallet keys](https://www.bleepingcomputer.com/news/security/new-crocodilus-malware-steals-android-users-crypto-wallet-keys/)
