Experts Uncover Android Trojan Targeting Crypto Wallets

Experts at Threat Fabric have identified a new family of malware for Android mobile devices. The Trojan targets specific banking applications and popular cryptocurrency wallets.

A new mobile banking Trojan has emerged—#Crocodilus. Discovered during regular threat hunting, it’s already showing capabilities that rival top malware families, including device takeover and advanced credential theft.https://t.co/RlyfFxUYHe#BankingTrojan #ThreatFabric pic.twitter.com/47zPbPfFad

— ThreatFabric (@ThreatFabric) March 28, 2025

The malware, named Crocodilus, is capable of conducting attacks with overlays, performing keylogging, providing remote access to the device, and executing “hidden” operations.

Initially, the virus is installed via a dropper that bypasses the restrictions of Android 13 and newer. Once deployed, the software requests the activation of the Accessibility Service, and upon receiving permission, connects to a command server.

Crocodilus operates continuously, monitoring the launch of targeted applications and displaying overlays to intercept credentials. As soon as a user enters a password or PIN for a crypto wallet, they receive a prompt to back up their private key. Using this information, attackers can gain full control over the application and withdraw all funds.

Crocodilus records all actions performed by the victim through text changes on the screen, functioning as a keylogger. Additionally, the Trojan captures the Google Authenticator screen, transmitting OTP codes to the attackers.

“Using stolen personal and account data, attackers can gain full control over the victim’s device, using built-in remote access to conduct fraudulent transactions without detection,” noted Threat Fabric experts.

Crocodilus can display a black screen and mute sound when applications are in use, making fraudulent activities on the device invisible to the user.

Experts emphasized that even in its early versions, the Trojan demonstrates “a level of maturity uncharacteristic of newly discovered threats.”

“Crocodilus, already observed in attacks on banks in Spain and Turkey, as well as popular cryptocurrency wallets, is clearly designed to hunt for high-value assets,” they added.

As reported in the weekly cybersecurity digest, ForkLog covered the most important news from the world of cybersecurity in its traditional digest.