On March 31, 2025, ThreatFabric – a company specializing in fraud prevention – discovered a new type of malware on Android called “Crocodilus,” which is silently stealing users' cryptocurrency wallets. With sophisticated techniques, from remote control to stealing seed phrases, Crocodilus has targeted users in Turkey and Spain. Will this threat spread and shake the crypto market?
Crocodilus: “The Predator” On Android
#Crocodilus is a mobile banking trojan, first detected by ThreatFabric targeting users in Turkey and Spain. This malware uses Turkish debugging language, indicating a connection to cybercrime groups in the region. According to Aleksandar Eremin, head of mobile threat intelligence at ThreatFabric, Crocodilus “impersonates crypto-related applications and uses social engineering techniques to trick victims into revealing secrets in their cryptocurrency wallets.”
Crocodilus tricks users into providing their seed phrase – the key to accessing their crypto wallet – by displaying a fake message: “Back up your wallet key in settings within 12 hours. Otherwise, the app will be reset, and you may lose access to the wallet.” When users comply, the malware collects information via accessibility logging.
Sophisticated Techniques of the Malware
Crocodilus is distributed through an exclusive dropper, capable of bypassing security measures on Android 13 and above without triggering Play Protect. Once installed, it requests Accessibility Service permissions, allowing it to deploy a black screen overlay to steal passwords without the user's knowledge.
This malware also functions as a #Trojan remote access tool (RAT), allowing the attacker to control the user interface, swipe with gestures, take screenshots, and even use Google Authenticator to obtain two-factor authentication codes. All this is done discreetly thanks to a black screen overlay, preventing the phone owner from seeing the actions taking place.
How It Spreads and Targeted Victims
Currently, Crocodilus has only been reported to attack users in Turkey and Spain. However, ThreatFabric warns that the spreading method – through malicious websites, social media, fake promotions, SMS messages, and third-party app stores – could cause the malware to spread beyond this region. Users are often tricked into downloading the dropper through unofficial sources, instead of the Google Play Store.
Impact on the Crypto Market
Bitcoin (~$88,000): The price is not significantly impacted, but wallet thefts could decrease individual investor confidence.
Android users: Security risks are heightened, especially in Turkey and Spain, where crypto adoption is rising (TVL DeFi ~$100 billion).
Dark market: Eremin notes that Crocodilus, despite being a “newcomer,” could become a competitor to malware-as-a-service in the dark market due to its rich toolkit.
Advice for Users
ThreatFabric recommends Android users only download applications from the Google Play Store and avoid downloading APKs from unclear sources. It is also very important to carefully check messages requesting wallet backups to avoid being deceived. Additionally, users should use hardware wallets or cold storage to protect their seed phrases.
Conclusion: “Will the Crocodile Continue to Prey?”
Crocodilus is a serious warning for Android users about security risks in the crypto industry. With its sophisticated wallet-stealing capabilities and potential to spread, this malware could cause significant damage if left unchecked. Are Turkey and Spain just the beginning, or will this “crocodile” soon attack globally? Users need to be more vigilant than ever!
Risk warning: Crypto investment carries high risks due to price volatility and security threats like malware. Please consider carefully before participating.