Crocodilus: The Android Malware Stealing Crypto Using Fake Overlays
![\"Android](\"https://images.cointelegraph.com/images/840_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjUtMDMvMDE5NWU5NGQtMGY4Mi03NWJmLWJiMDQtYzBiOWM2M2E0ZmQ4.jpg\")
A new Android malware, dubbed \”Crocodilus,\” is making waves in the cybersecurity world. Threat Fabric, a leading cybersecurity firm, has uncovered this sophisticated threat that uses deceptive overlays to trick users into revealing their cryptocurrency seed phrases. This grants the attackers complete control over the victim’s device and their digital assets.
Crocodilus employs a cunning social engineering tactic. It displays a fake warning overlay within targeted apps, falsely claiming that users must back up their crypto wallet keys within a specific timeframe or risk losing access. This prompts users to navigate to their seed phrase, which the malware then harvests through its accessibility logger.
Once the seed phrase is obtained, the attackers have complete access to the victim’s cryptocurrency wallet, allowing them to drain the funds. Threat Fabric’s report highlights the malware’s advanced features, including overlay attacks, sophisticated data harvesting through screen capture, and remote access capabilities that provide full control of the infected device.
![\"Android](\"https://s3.cointelegraph.com/uploads/2025-03/0195e9f2-2bd9-739c-8f35-78f4e1f97016\" "\\"\\"")
Source: Threat Fabric
The initial infection vector involves inadvertently downloading the malware through seemingly legitimate software, circumventing even Android 13’s security measures. Upon installation, Crocodilus requests accessibility services, granting the attackers extensive access. This allows the malware to connect to a command-and-control (C2) server, receiving instructions and deploying overlays for various apps.
![\"Android](\"https://s3.cointelegraph.com/uploads/2025-03/0195e9f2-ade6-7134-b9bf-1d9c4594c42f\" "\\"\\"")
Once installed, Crocodilus requests accessibility service to be enabled, granting hackers access to the device. Source: Threat Fabric
Crocodilus continuously monitors app launches, deploying fake overlays when targeted banking or cryptocurrency apps are opened. These overlays mute sounds while attackers gain control. The stolen personal information and credentials allow complete device control, enabling undetected fraudulent transactions.
While initially targeting users in Turkey and Spain, Threat Fabric anticipates a broader global impact. The malware’s sophistication and advanced features represent a significant escalation in the threat landscape, highlighting the need for heightened vigilance and robust mobile security practices.