A new and dangerous Android malware called Crocodilus has been uncovered by cybersecurity firm Threat Fabric. This malware is designed to steal cryptocurrencies by hijacking Android devices and manipulating users into handing over their wallet seed phrases.

Disguised under legitimate-looking apps, Crocodilus uses deceptive screen overlays to prompt users to “back up” their wallet keys or risk losing access. Once users follow the prompt, the malware secretly logs the sensitive seed phrase using accessibility services. With this information, hackers can drain the entire wallet.

Even though it’s a new threat, Crocodilus has features typically seen in advanced banking malware. It performs overlay attacks, captures screen data like passwords, and can remotely access and control the infected phone. The malware also runs in the background, waiting for users to open banking or crypto apps before launching a fake interface over them. While the real app is muted and hidden, hackers operate behind the scenes to collect credentials and execute unauthorized transactions.

The infection often begins when users download third-party apps that bypass Android 13’s security checks. Once installed, Crocodilus requests access to the device’s accessibility services—crucial for taking full control.

Threat Fabric believes the malware originated in Turkey or Spain, based on the targeted regions and code language, and possibly comes from a hacker known as Sybra or another individual testing new tools.

This discovery raises serious concerns about growing threats in mobile cybersecurity. As Crocodilus evolves, its global reach and impact on crypto users could expand rapidly, making awareness and caution more important than ever.