That’s it for Android: why it is no longer possible to store cryptocurrency on this OS

Cybersecurity experts have discovered a new threat for Android users, the Crocodilus trojan, which at the time of publishing this article is the most advanced software for stealing cryptocurrencies. Although research on the new virus is still ongoing and little is known about it, GetBlock AML Research publishes all available information about Crocodilus and recommendations on how to protect against the new threat.

Unknown origin

The Crocodilus trojan was discovered by cybersecurity specialists at Threat Fabric in March 2025. As of April, the virus has been widely distributed in Turkey and Spain. However, experts predict that Crocodilus will spread worldwide in the coming months.

The danger of Crocodilus lies in its tight integration with the Android operating system. Once on the device, the virus actually becomes a part of the OS, making it almost impossible to remove it without damaging the system. Crocodilus takes full control of the device and allows hackers to perform any actions with the device without the owner’s knowledge.

Another problem is that experts are still unable to identify potential authors of the virus, sources of infection, and ways of spreading the trojan. So far, experts recommend the following:

• Do not download unfamiliar apps, even from Google Play, as Crocodilus can bypass the security scanners of all major marketplaces;
• Do not click on phishing links, as in most cases they hide malware behind them;
• Do not visit, and especially do not download anything from websites with pirated software, as malicious code is embedded in them.

How Crocodilus works

Once the device is infected, Crocodilus requests access to a special capabilities service. This is necessary for the trojan to connect to the attacker’s server, through which the device is controlled, and user data is stolen. Hackers then use screen overlays (overlaying dummy windows on top of the workspace) to disguise themselves.

Crocodilus request for access to special features

When trying to open a cryptocurrency storage application, Crocodilus will hide the wallet interface and show a window that forces the user to back up private keys. If one agrees to the ruse and backs up, the wallet’s private keys are immediately sent to the hackers’ server.

Fake wallet window with a call to create a backup

Crocodilus has been taught to do something that is considered impossible in theory, remotely bypass two-factor authentication (2FA). When you open 2FA applications such as Google Authenticator, the virus turns on a screen broadcast and transmits it to the server.

Another curious feature of Crocodilus is the ability to remotely control the device, during which hackers can mute the screen and sound. This allows attackers to perform any operations on the device while the user thinks it is locked.

How to track the infection

Crocodilus is one of the most perfect viruses in terms of camouflage. However, it can be identified by some indirect signs:

• Rapid battery drain. The battery resource runs out over time, but it is the sharp decrease in the device’s operating time that can indicate the presence of a virus on the device;
• Increased data transfer. The trojan regularly communicates with the server, receiving commands from it and transmitting user data. Therefore, after infection, the amount of Internet traffic increases significantly. One of the main signs of infection is bursts of data transfer during periods when you are not using your device.

First aid in case of infection

At the first signs of Crocodilus infection, the following steps should be taken:

• Disconnect the device from the Internet;
• Remove the SIM card from the device;
• Remove the battery from the device (if possible);
• Turn off the device;
• Replace passwords and security keys via another device.

Please note that the infected device can no longer be used. Factory reset and reflashing are not guaranteed to restore security.