TechFlow reports that on March 31, according to Bleeping Computer, a new Android malware named Crocodilus tricks users into revealing their cryptocurrency wallet recovery phrases through social engineering, thereby stealing wallet keys and gaining full control over victims' assets.
Crocodilus bypasses security protections in Android 13 and later versions via a custom malicious installer, enabling self-installation without triggering Google Play Protect or accessibility service restrictions. Its primary attack method involves screen overlay techniques to forge warning messages, falsely notifying users they must "back up wallet keys" within 12 hours or lose access—tricking them into voluntarily disclosing their recovery phrases.
In addition, the malware features remote access trojan (RAT) capabilities, allowing execution of various device control commands such as retrieving SMS messages, enabling call forwarding, sending notifications, and locking the screen. The first victims were primarily located in Turkey and Spain, with attacks targeting banking accounts and cryptocurrency apps. Researchers suspect the malware may originate from Turkey.




