What is Crocodilus malware?
Crocodilus is the latest in a string of Android crypto malware built to steal your cryptoassets.
Crocodilus is a sophisticated piece of malware that steals digital assets from Android devices. Named after crocodile references scattered throughout its code, Crocodilus targets Android 13 devices or later. The Android wallet malware utilizes overlays, remote access and social engineering to take over your device and drain your crypto wallet.
Fraud prevention firm Threat Fabric discovered Crocodilus malware in March 2025 and published detailed research on the new virus. As of April 2025, users in Spain and Turkey are the primary targets. Threat Fabric predicts Crocodilus will expand globally in the coming months.
How Crocodilus infects Android devices
Crocodilus’ primary method of infection is still unknown, but it likely follows a path similar to other malware.
What sets Crocodilus apart from typical crypto wallet malware is how deeply it integrates with your device. It does more than just trick you via social engineering. It takes complete control of your Android.
While the leading cause of infection is unknown, malware like this often appears in a few ways:
Fake apps: Crocodilus may disguise itself as a legitimate cryptocurrency-related app on the Google Play Store or on third-party app-hosting sites. Threat Fabric says the malware can bypass the Google Play Store’s safety scanners.SMS promotions: SMS scams are increasingly common. If you receive a random text with a suspicious link, don’t click on it. It may redirect you to a page that downloads malware.Malicious advertising: Infected ads run rampant on adult or software piracy websites. Each ad is strategically placed to make you accidentally tap, and it only takes one tap to download malware. Phishing attempts: Some malware campaigns send malicious phishing emails that impersonate cryptocurrency exchanges. Double-check the sender’s e-mail address to verify its legitimacy.
Once Crocodilus infects your device, the malware will request accessibility service permissions. Accepting these permissions connects Crocodilus to its command-and-control (C2) server, where attackers can display screen overlays, track keystrokes or activate remote access to control your device.
However, the malware’s main identifying trait is its wallet backup trick. If you log into your cryptocurrency wallet app using a password or PIN, Crocodilus displays a fake overlay. It reads:
“Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset, and you may lose access to your wallet.”
If you click “continue,” Crocodilus prompts you to type in your seed phrase. The malware tracks your inputs via its keylogger. Then, the attackers have everything they need to steal your assets.
Crocodilus’ fake overlay imitates legitimate wallet software. Its “continue” button is easy to press without thinking, but know that a recognizable wallet app would never urge you to back up your wallet in this way. If you see this overlay, uninstall the app and consider a clean install of your device.
Unfortunately, keylogging is just the start. Crocodilus circumvents two-factor authentication (2FA) processes via its screen recorder, capturing verification codes from apps like Google Authenticator and sending them to C2.
Worst of all, Crocodilus displays a black overlay and mutes your device’s audio to cover up its activities. It pretends your phone is locked while silently stealing your assets in the background.
The malware can conduct 45 commands in total, including:
SMS takeover: Crocodilus can retrieve your text messages, text your contacts list, and even make itself your default SMS app.Remote access: The malware takes complete control of your device, allowing it to open apps, activate your camera or start your screen recorder.Modify text: While Crocodilus tricks you into inputting your wallet information, it can alter or generate text to help C2 access your private apps using data it finds on your device.
Did you know? Stealthy malware threats to crypto wallets are common. Zero-click attacks — malware that infects your device without any input from you — are another form of crypto malware in 2025.
What if you’ve fallen victim to a Crocodilus attack?
Falling victim to Crocodilus requires immediate action.
If you’ve fallen victim to the Android Trojan Crocodilus, immediately follow these crypto wallet protection tips:
Isolate your device: Disconnect your device from Wi-Fi or data and turn it off. Remove the battery if possible.Recover your assets: You should have your wallet’s seed phrase stored in a safe, physical location. Use it to recover your wallet to an uncompromised device.Get rid of your infected device: Unfortunately, using your infected device is a massive risk. Factory resetting it might not get rid of the malware. Moving to another device is your safest option.Report the threat: If you downloaded a malicious app, such as one from the Google Play Store, report it to the relevant parties.
Did you know? If you lose your cryptoassets, there’s no getting them back. Some may consider this one of the downsides to decentralization — a lack of a central authority to monitor and insure theft.
How to check for a Crocodilus attack
Regular checks go a long way toward protecting your cryptocurrencies. Learn how to detect crypto malware.
While Crocodilus manipulates your device in secret, there are some telltale signs of infection to watch out for.
Here’s how to protect crypto on Android if you’re suspicious of a Crocodilus attack:
Suspicious app activity: Check your device activity tracker. An unaccounted-for uptick in cryptocurrency or banking apps may be cause for concern.Check app permissions: Regularly review the app permissions you’ve allowed, especially those that request accessibility permissions. Increased battery drain: A small but significant sign of infection is increased battery drain. If your battery drains faster than usual, your phone may be running malware in the background. Data usage spikes: Crocodilus continually transmits data to its C2 server. Monitor your data usage and be aware of any sudden increases. This is one of the most apparent signs your wallet app is compromised.
How to prevent a Crocodilus hack
Prevention is the best form of protection.
According to blockchain analysis firm Chainalysis, an estimated $51 billion in cryptocurrencies was stolen via crypto hacks in 2024. The group expects this number to increase in 2025 and beyond. Cybersecurity is more important than ever as we continue to move toward decentralized digital finance.
While it’s impossible to remain 100% safe from cyberthreats, consider adopting the following behaviors to protect yourself. Crypto wallet security in 2025 is more important than ever:
Browse safely: Avoid suspicious websites that exist to trap users into downloading Crocodilus and other malware stealing crypto keys.Use a hardware wallet: As of April 2025, Crocodilus targets Android devices, specifically. Keeping your cryptocurrencies in a hardware wallet limits the malware’s reach. Triple-check app downloads: Don’t side-load applications from unsafe websites. Make sure to triple-check apps on the Google Play Store and only download those you’re sure are official.Check official sources: Follow reputable cybersecurity websites, subreddits and other spaces to stay current on Crocodilus protection methods.
Finally, be wary of unexpected backup prompts and monitor app behavior for suspicious activity.
