Thursday, June 4, 2026
HomeCrypto NewsCointelegraph Bitcoin & Ethereum Blockchain News
Crypto News

Cointelegraph Bitcoin & Ethereum Blockchain News

David Graham
By David Graham
0
20

What is Crocodilus malware?

Crocodilus is the latest in a string of Android crypto malware built to steal your cryptoassets.

Crocodilus is a sophisticated piece of malware that steals digital assets from Android devices. Named after crocodile references scattered throughout its code, Crocodilus targets Android 13 devices or later. The Android wallet malware utilizes overlays, remote access and social engineering to take over your device and drain your crypto wallet. 

Crocodilus Malware disclosed by ThreatFabric

Fraud prevention firm Threat Fabric discovered Crocodilus malware in March 2025 and published detailed research on the new virus. As of April 2025, users in Spain and Turkey are the primary targets. Threat Fabric predicts Crocodilus will expand globally in the coming months.

How Crocodilus infects Android devices

Crocodilus’ primary method of infection is still unknown, but it likely follows a path similar to other malware.

What sets Crocodilus apart from typical crypto wallet malware is how deeply it integrates with your device. It does more than just trick you via social engineering. It takes complete control of your Android.

While the leading cause of infection is unknown, malware like this often appears in a few ways:

  • Fake apps: Crocodilus may disguise itself as a legitimate cryptocurrency-related app on the Google Play Store or on third-party app-hosting sites. Threat Fabric says the malware can bypass the Google Play Store’s safety scanners.
  • SMS promotions: SMS scams are increasingly common. If you receive a random text with a suspicious link, don’t click on it. It may redirect you to a page that downloads malware.
  • Malicious advertising: Infected ads run rampant on adult or software piracy websites. Each ad is strategically placed to make you accidentally tap, and it only takes one tap to download malware.  
  • Phishing attempts: Some malware campaigns send malicious phishing emails that impersonate cryptocurrency exchanges. Double-check the sender’s e-mail address to verify its legitimacy.

Once Crocodilus infects your device, the malware will request accessibility service permissions. Accepting these permissions connects Crocodilus to its command-and-control (C2) server, where attackers can display screen overlays, track keystrokes or activate remote access to control your device.

The malware needs accessibility permissions to display overlays

However, the malware’s main identifying trait is its wallet backup trick. If you log into your cryptocurrency wallet app using a password or PIN, Crocodilus displays a fake overlay. It reads: 

“Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset, and you may lose access to your wallet.” 

If you click “continue,” Crocodilus prompts you to type in your seed phrase. The malware tracks your inputs via its keylogger. Then, the attackers have everything they need to steal your assets.

Crocodilus’ fake overlay imitates legitimate wallet software. Its “continue” button is easy to press without thinking, but know that a recognizable wallet app would never urge you to back up your wallet in this way. If you see this overlay, uninstall the app and consider a clean install of your device.

Crocodilus threatens users with a time limit, attempting to scare them into clicking

Unfortunately, keylogging is just the start. Crocodilus circumvents two-factor authentication (2FA) processes via its screen recorder, capturing verification codes from apps like Google Authenticator and sending them to C2.  

Worst of all, Crocodilus displays a black overlay and mutes your device’s audio to cover up its activities. It pretends your phone is locked while silently stealing your assets in the background. 

The malware can conduct 45 commands in total, including:

  • SMS takeover: Crocodilus can retrieve your text messages, text your contacts list, and even make itself your default SMS app.
  • Remote access: The malware takes complete control of your device, allowing it to open apps, activate your camera or start your screen recorder.
  • Modify text: While Crocodilus tricks you into inputting your wallet information, it can alter or generate text to help C2 access your private apps using data it finds on your device.

Did you know? Stealthy malware threats to crypto wallets are common. Zero-click attacks — malware that infects your device without any input from you — are another form of crypto malware in 2025.

What if you’ve fallen victim to a Crocodilus attack?

Falling victim to Crocodilus requires immediate action.

If you’ve fallen victim to the Android Trojan Crocodilus, immediately follow these crypto wallet protection tips:

  • Isolate your device: Disconnect your device from Wi-Fi or data and turn it off. Remove the battery if possible.
  • Recover your assets: You should have your wallet’s seed phrase stored in a safe, physical location. Use it to recover your wallet to an uncompromised device.
  • Get rid of…

cointelegraph.com

Previous article
Tesla’s Falling Profit May Pressure Elon Musk to Return to Day Job
Next article
Bitcoin traders turn to $93K yearly open as BTC price hits 6-week high
RELATED ARTICLES

Most Popular

Load more

Recent Comments

EDITOR PICKS

POPULAR POSTS

POPULAR CATEGORY

ABOUT US

Newspaper is your homepage for Forex news, Markets outlook, UK politics , US Politics, Economy Energy news , Stocks exchange , investing EFTS and crypto News. We provide you with the latest breaking news and videos straight from the global industry.

Contact us: [email protected]

FOLLOW US

Copyright © 2019 - 2026 by FXNews24 . All rights reserved.