New Crocodilus malware snaps up crypto wallets

A newly discovered Android malware, dubbed Crocodilus, is targeting cryptocurrency users by stealing their wallet seed phrases (aka wallet keys). The malware is disguised as a legitimate application and deceives victims into entering their seed phrases under the pretense of a security backup. It generates fake warnings urging users to input their recovery keys within a short timeframe to prevent supposed access loss. Once users comply, Crocodilus records and transmits this sensitive data to its operators, allowing them to take full control of the victim's cryptocurrency assets.

The malware is distributed via a custom dropper designed to bypass Android’s security measures, particularly those introduced in Android 13 and later versions. This dropper allows Crocodilus to install itself without requiring explicit user permissions, such as Accessibility Services, and evades Google Play Protect's built-in defenses. While it’s still unknown exactly how users are being tricked into downloading the dropper, researchers believe that it’s likely via malicious sites, fake promotions sent through social media or text messages, and third-party app stores.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Beyond stealing seed phrases, Crocodilus has additional capabilities, including remote control over the infected device, keylogging, data harvesting, and executing arbitrary commands, making it not only a financial threat but also a potential tool for broader cyber espionage.

So far, Crocodilus appears to only hunt for victims in Turkey and Spain, however, researchers are concerned that its hunting grounds could quickly expand to include other countries.

Source: Bleeping Computer

Analysis

Any malware with the capability of completely draining a victim’s crypto currency wallet is obviously a significant threat. Crocodilus’s additional capabilities, such as key logging and code execution, make it particularly dangerous. Fortunately, Crocodilus attacks have been limited to Spain and Turkey, but with millions of Android users worldwide, this could rapidly change.

Crocodilus isn’t the first Android malware designed to steal cryptocurrency; several others have targeted digital wallets in the past. For example, Cerberus and Alien are both Android banking trojans that included crypto wallet theft as a secondary function, using overlay attacks to trick users into entering their credentials on fake login screens. Hydra and EventBot followed a similar pattern, focusing primarily on financial applications, but expanding their reach to crypto wallets. More recently, Hook and Ermac emerged with advanced keylogging and remote access features, allowing attackers to bypass security measures and drain wallets.

The emergence of Crocodilus reinforces just how lucrative targeting cryptocurrency users has become for cybercriminals. Unlike traditional bank accounts, crypto transactions are irreversible—once funds are stolen, there is no central authority to recover them. This makes cryptocurrency an attractive target for hackers, especially with the increasing adoption of digital wallets, billions of dollars in crypto assets circulating, and more people managing their own funds without institutional safeguards.

As malware like Crocodilus becomes more sophisticated, stronger security practices, better user awareness, and continued advancements in wallet protection technology must be adopted to counter this threat.

Mitigation

Field Effect’s Security Intelligence team constantly monitor the cyber threat landscape for threats related to malware and other potentially malicious tools. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate these threats. Field Effect MDR users are automatically notified when threat-related activity is detected in their environment and are encouraged to review these Actions-Recommendation-Observations (AROs) as quickly as possible via the Field Effect portal.

Field Effect recommends that user only download apps from official stores like Google Play, avoid sideloading software from untrusted sources, and be skeptical of any app urging them to enter sensitive data under time pressure. Regular security updates and mobile antivirus solutions can also help mitigate the risk of infection.

There are several ways to secure a cryptocurrency account against threats like Crocodilus. While traditional multi-factor authentication (MFA) is useful for exchange accounts, it doesn’t protect seed phrases—which, once stolen, allow full wallet control. Instead, crypto users should focus on these security measures:

1. Use a Hardware Wallet – Hardware wallets (like Ledger or Trezor) store private keys offline, making them immune to malware on an infected device. Even if a hacker steals a seed phrase, hardware wallets often require physical confirmation for transactions.
2. Enable a Passphrase (Hidden Wallet) – Some hardware and software wallets allow users to add a passphrase on top of their seed phrase. This acts as a "hidden" wallet that is only accessible with the extra passphrase, protecting against seed phrase theft.
3. Never Store Seed Phrases Digitally – Keeping a seed phrase in a phone’s notes app, cloud storage, or screenshots increases the risk of malware theft. It’s best to write it down on paper or use a metal backup.
4. Use a Multi-Signature Wallet – Multi-signature (multi-sig) wallets require multiple approvals to complete a transaction. Even if attackers get hold of one key, they won’t be able to move funds without the other required signatures.
5. Verify Apps and Updates – Always download wallet apps from official sources and double-check update permissions. Avoid sideloading apps or clicking on links that prompt you to "restore" a wallet.
6. Limit Device Access – If possible, use a dedicated phone or offline device for crypto transactions. This reduces exposure to malware infections from everyday app usage.

Since Crocodilus tricks users into willingly entering their seed phrases, the most effective defense is never entering a seed phrase unless manually recovering a wallet on a trusted device. If an app or website asks for it unexpectedly, it’s almost certainly a scam.

Related Articles

• New ‘StilachiRAT’ found scurrying in crypto wallets
• North Korean hackers pose ‘Hidden Risk’ for crypto-related businesses
• BadBox Android botnet grows despite disruption