Crypto Wallets Under Attack as Crocodilus Malware Emerges

A newly discovered Android malware named Crocodilus is making waves across Spain and Turkey — and crypto users worldwide should take note. The malware's alarming ability to steal wallet seed phrases and intercept MFA codes could pose a serious threat to anyone holding digital assets on mobile. The attack vector? A slick social engineering campaign combined with overlay attacks that mimic legitimate wallet backup prompts. Once you fall for it, your seed phrase — and your coins — are gone.

How Crocodilus Infects and Strikes

Crocodilus spreads through malicious websites, third-party app stores, and sketchy social media promos, avoiding detection by Google Play Protect and slipping past Android 13+ security.

🦠 Once installed, it:

• Abuses the Accessibility Service to log on-screen actions.

• Deploys fake wallet backup prompts to steal your seed phrase.

• Uses overlays on crypto and banking apps to harvest login info.

• Hijacks MFA tools like Google Authenticator.

• Enables call forwarding, reads SMS, and takes screenshots.

Security experts warn that with its 23 built-in commands, Crocodilus acts more like a remote access trojan (RAT) than a simple info-stealer.

How to Stay Safe from Crocodilus

• Don’t share your seed phrase — ever.

• Avoid sideloading apps or clicking links from random social media accounts.

• Enable Google Play Protect.

• Be selective with permissions, especially for accessibility.

• Keep Android devices fully updated.

• Use reputable mobile security software.