Get 125% / $2,500 on 1st deposit!
New players only. Exclusive Welcome Bonus of up to $2,500
A new Android malware called “Crocodilus” is now targeting both mobile banking apps and cryptocurrency wallets, according to fraud prevention company ThreatFabric.
Crocodilus operates as a trojan that uses a mix of remote access tools, deceptive overlays, and advanced logging to steal user credentials and sensitive financial information. The malware begins its attack by using dropper apps that are built to get around Android security measures. Once installed, it prompts users to enable Accessibility Services — a feature that opens the door to extensive system control.
After gaining access, Crocodilus launches fake screen overlays that mimic real apps. These overlays sit on top of legitimate banking or crypto wallet interfaces and are designed to trick users into entering passwords and PINs.
ThreatFabric reports that the malware has so far been seen targeting users in Spain and Turkey, along with crypto wallet applications. However, it warns the threat could soon reach users in other countries. “Initial campaigns observed by our Mobile Threat Intelligence team show targets primarily in Spain and Turkey, along with several cryptocurrency wallets. We expect this scope to broaden globally as the malware evolves.”
Crocodilus also features a tool that works like a keylogger but goes further. Rather than only recording keystrokes, it tracks everything shown on the screen through Android’s Accessibility events. This includes capturing any text changes, allowing it to collect passwords, wallet recovery phrases, and more.
In one example, when users enter credentials into a fake crypto wallet interface, the malware displays a warning:
Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset, and you may lose access to your wallet.
This tactic tricks users into revealing their seed phrases, which are then logged and sent to the attacker.
With more crypto wallets and banking apps running on mobile devices, threats like Crocodilus highlight the growing risks users face. Cybercriminals are turning to advanced techniques that exploit Android’s accessibility features to bypass traditional security layers.
Security experts advise Android users to only download apps from trusted sources, keep their devices updated, and be cautious about enabling Accessibility permissions unless absolutely necessary.