Android malware Crocodilus drains mobile crypto wallets

The malware, first profiled by mobile threat researchers earlier in 2025, has evolved into a full device-takeover tool: once a victim installs a fake or trojanized app and grants Accessibility Services, Crocodilus can watch everything on the screen, log text changes, draw fake wallet backup windows and even cover the display with a black screen while it performs transactions in the background. This makes it relevant not only for banks but also for DeFi users who keep hot wallets on Android.

Crocodilus works like a modern Android banking Trojan. After installation via a dropper that bypasses newer Android restrictions, it immediately requests accessibility permissions. If the user accepts, the malware connects back to a command-and-control server and downloads a list of target apps — these include mobile banking, exchange apps, and crypto wallets. From that moment, it can detect when the user opens a wallet and place a perfectly timed overlay on top, asking the victim to “re-enter” or “back up” their seed phrase within a short time window. Because the text on the screen is captured by the accessibility logger, the phrase is sent straight to the operator.

This Trojan does more than steal phrases. It can keylog via accessibility events, harvest contact and SMS data, receive real-time instructions from the operator, and switch the phone into a “hidden” mode, where it mutes alerts and shows a black screen so the user does not see outgoing actions. That combination — device takeover plus overlay attacks — is what researchers called “mature functionality” for a malware family that only appeared in March 2025 and was first seen in campaigns in Spain and Turkey before spreading to South America and parts of Asia.

If the malware captures a seed phrase or private key from a mobile wallet, the attacker can import it on a clean device and transfer every asset from that wallet. If it captures exchange credentials or 2FA codes, it can log into those accounts and withdraw. If it maintains an active remote-control session on the phone, it can confirm in-app swaps or sign transactions while the user thinks the device is frozen. And because Crocodilus is able to mute notification sounds, the first indication for the victim may be the on-chain outflow itself. Recent security notes put the damage from a single wave of infections at over $2.8 million in stolen crypto in a matter of weeks.

Researchers also stressed that Crocodilus does not rely on one delivery method. Some samples arrived through fake updates and cloned financial apps; others were pushed through phishing sites that pretended to be crypto services and suggested installing an “Android client” to speed up transactions. In every case the monetization was the same: get accessibility, watch the screen, wait for a wallet to open, and exfiltrate the secret. Because the Trojan is modular and pulls its overlays from the C2, operators can add new wallet brands or DeFi apps without shipping a new APK. That makes takedowns harder and gives the group a way to go after whatever wallet is popular at the moment.