Crocodilus Malware Variant Targets Bitcoin and Crypto Wallets with Advanced Seed Phrase Collector

A sophisticated new variant of the Crocodilus mobile malware is raising alarms among crypto users, as it now features an automated seed phrase collector designed to steal sensitive data from Bitcoin and crypto wallets. The Mobile Threat Intelligence (MTI) team at Threat Fabric, a leading cybersecurity firm, issued a warning about the malware’s enhanced capabilities, which allow it to extract seed phrases and private keys with unprecedented precision. Initially detected in March, Crocodilus has expanded its reach from Europe to South America, targeting a growing number of crypto wallet users across multiple continents.

The updated malware leverages advanced preprocessing techniques to log and analyze on-screen data, making it more effective at stealing critical information. By incorporating regular expressions, the malware can format extracted data before it is displayed, enabling cybercriminals to receive high-quality, preprocessed information ready for use in fraudulent activities. This development marks a significant escalation in the threat posed by Crocodilus, as it streamlines account takeovers and crypto asset theft.

Global Campaigns and Deceptive Tactics

The MTI team reports that Crocodilus is actively targeting users in Turkey and Spain, with smaller campaigns affecting applications in Argentina, Brazil, the United States, Indonesia, and India. In Turkey, the malware masquerades as an online casino, spreading through malicious advertisements that overlay fake login pages on financial applications. This tactic tricks users into entering credentials, which are then harvested by attackers. In Spain, Crocodilus disguises itself as a fake browser update, targeting nearly all major Spanish banks with deceptive prompts that compromise user security.

Beyond its seed phrase collector, the malware introduces a troubling new feature that allows attackers to manipulate the contact list on infected devices. By adding a phone number under a trusted name, such as “Bank Support,” cybercriminals can initiate convincing calls to victims. This tactic bypasses fraud prevention measures that flag unknown numbers, increasing the likelihood of successful social engineering attacks. The combination of technical sophistication and psychological manipulation makes this variant particularly dangerous for unsuspecting users.

The MTI team emphasized that Crocodilus builds on its earlier reliance on accessibility logging, a feature that captures on-screen data. The new parser enhances this capability by extracting data in a structured format, reducing the effort required for attackers to exploit stolen information. As cybercriminals continue to refine their methods, the focus on cryptocurrency wallets reflects the growing value of digital assets and the lucrative opportunities they present for fraud.

Crypto users are urged to exercise caution when downloading applications or clicking on advertisements, particularly those prompting browser updates or offering online gambling services. Verifying the authenticity of apps and maintaining robust security practices, such as using two-factor authentication (2FA), can help mitigate the risk of falling victim to Crocodilus and other forms of malware.