- Crocodilus abuses Android Accessibility Services to read recovery phrases, log keystrokes and initiate transfers after biometric unlock
- The malware first appeared in Turkey in March 2025 and rapidly expanded to Europe, South America, India and Indonesia by mid-2025
- Distribution occurs through malicious ads, fake wallet apps and counterfeit browser update pages offering rewards or bonuses
Crocodilus, an Android malware family first identified in March 2025, has evolved to target cryptocurrency wallets by exploiting system permissions to gain complete operational control over infected devices. The malware’s latest variants can steal recovery phrases, execute remote actions, and drain assets directly from mobile wallet applications.
The malware operates by abusing Android’s Accessibility Services and overlay permissions to read on-screen text, observe app interfaces, log keystrokes, and intercept one-time passwords from authentication tools, according to 1inch. Combined with its remote-access module, attackers can operate compromised phones as if physically holding them.
Remote Control Enables Asset Theft After Unlock
Once a wallet is unlocked through any method, including biometrics, Crocodilus can open applications, navigate interfaces, and initiate transfers without user input. Some variants display fake wallet backup prompts designed to closely mimic legitimate interfaces, tricking users into re-entering their recovery phrases. When entered on an infected device, attackers receive the credentials instantly and gain permanent control over the assets.
The malware has developed sophisticated social engineering capabilities. Certain versions create fake support contacts that imitate wallet providers or exchanges. If a victim notices unusual activity and attempts to contact support, they may unknowingly reach the attacker, who then manipulates them into revealing additional sensitive information or approving malicious actions.
Rapid Global Expansion Since March Discovery
Crocodilus first appeared in Turkey during test campaigns in March 2025. Within weeks, operations expanded to Spain and Poland, and by mid-2025, the malware was active across parts of South America, India, Indonesia, and isolated regions in the United States, according to ThreatFabric.
The malware primarily spreads through malicious advertisements, including those on Facebook. In Poland, ads mimicking bank and e-commerce platforms were shown more than 1,000 times in one to two hours, targeting users over 35 years old. Additional distribution methods include fake wallet applications and counterfeit download pages posing as browser updates or cryptocurrency tools.
Security researchers recommend avoiding unknown APK files and reviewing which applications have Accessibility Service permissions enabled. Legitimate wallet applications, exchanges, and authenticators do not require full accessibility. Users should never re-enter recovery phrases on mobile devices unless performing a legitimate recovery, as unexpected prompts typically indicate fraud. If an infection is suspected, users should take the device offline immediately and move any remaining assets to a clean environment or a hardware wallet.
