A new Android malware named Crocodilus has been identified by security firm ThreatFabric, targeting cryptocurrency wallets by stealing seed phrases. The malware disguises itself as legitimate crypto-related apps and uses social engineering tactics to trick users into backing up their keys, thereby gaining access to their digital wallets. Crocodilus operates by requesting Android Accessibility permissions, allowing it to bypass security measures and deploy screen overlays to intercept credentials. It has been reported to affect users in Spain and Turkey, with the malware using Turkish debug language. The malware functions as a remote access trojan (RAT), enabling operators to control the device remotely, including the ability to use a black screen overlay to hide their actions. The malware's distribution involves a proprietary dropper that evades Android 13 and later security protections, installing without triggering Google Play Protect. Once installed, it can perform various malicious actions, including remote control of the device, intercepting SMS messages, and capturing Google Authenticator codes for two-factor authentication.