Crocodilus malware: how it targets Android devices and steals crypto assets

Crocodilus, one of the most advanced Android malware families discovered in 2025, has now begun targeting crypto wallets.

Crocodilus aims for full operational control over infected devices. Its latest variants are optimized to steal recovery phrases, perform remote actions and drain assets directly from mobile wallet apps.

By abusing Android’s Accessibility Services and overlay permissions, Crocodilus can read on-screen text, observe app interfaces, log keystrokes and intercept one-time passwords from authentication tools. Combined with its remote-access module, this allows attackers to operate the phone almost as if they were physically holding it.

For crypto users, this poses a particularly dangerous threat. Once a wallet is unlocked - even through biometrics - the malware can open apps, navigate interfaces and initiate transfers. Some variants also display fake wallet backup prompts that closely mimic legitimate interfaces, tricking users into “reconfirming” their recovery phrases. When a recovery phrase is entered on an infected device, attackers receive it instantly, gaining permanent control over the assets.

Crocodilus has evolved in its social-engineering tactics as well. Certain versions create fake support contacts that imitate wallet providers or exchanges. If a victim notices unusual activity and attempts to contact support, they may unknowingly reach the attacker, who then manipulates them into revealing additional sensitive information or approving malicious actions.

Because crypto transactions are irreversible and access depends entirely on private keys, Crocodilus treats digital assets as a high-value target. Even a single compromised interaction can result in the complete loss of funds.

How Crocodilus typically compromises crypto wallets

Although behaviour varies by variant, researchers repeatedly observe several common techniques that directly threaten mobile wallet users:

• Malicious overlays that mimic wallet pop-ups, backup screens or password prompts.
• Abuse of Android Accessibility Services to read on-screen recovery phrases, interact with UI elements and trigger taps.
• Remote control capabilities that allow attackers to operate the device in real time, often using screen overlays or temporary screen locks to hide activity.
• Fake system warnings urging users to re-enter their recovery phrase for “security reasons.”
• Spoofed support contacts added to the address book, enabling vishing and social-engineering flows.

This combination of technical and social techniques makes Crocodilus particularly effective at stealing credentials and draining mobile wallets.

How crypto users can stay protected

Preventing infection is the most effective defense. Crocodilus mainly spreads through malicious ads, fake wallet apps and counterfeit download pages posing as browser updates or crypto tools. Avoiding unknown APKs and ignoring “reward” or “bonus for installation” offers greatly reduced risk.

For everyday wallet use, regularly review which apps have Accessibility Service permissions. Genuine wallets, exchanges and authenticators do not require full accessibility access. If an unfamiliar app has this permission, remove it immediately.

Recovery phrases should never be re-entered on a mobile device unless performing a legitimate recovery – unexpected recovery-phrase prompts are a strong sign of fraud.

If an infection is suspected, take the device offline, revoke accessibility permissions and delete suspicious apps in Safe Mode. Then move remaining assets from a clean environment or hardware wallet as quickly as possible.

Where it came from

Crocodilus first appeared in March 2025 during small test campaigns in Turkey. Within weeks, it expanded to Spain and Poland, and by mid-2025 the malware was active across parts of South America, India, Indonesia and isolated U.S. regions. During this rapid growth, it added features such as fake contacts, native code payloads, extended remote-access capabilities and more sophisticated social-engineering tools.

Researchers note that Crocodilus is developing faster than many earlier Android banking Trojans, reflecting a shift from credential theft toward full device manipulation and crypto-asset targeting.

Crocodilus highlights a broader trend: mobile malware is becoming more capable, more deceptive and increasingly focused on crypto users. Good security habits - installing apps only from trusted sources, reviewing permissions, avoiding unsolicited recovery-phrase prompts and using hardware wallets for larger balances - remain the most effective way to keep digital assets safe.

Stay tuned for more insights from 1inch as we explore the latest trends in DeFi!