Android trojan 'Crocodilus' hijacks accessibility settings for control

The Android banking trojan Crocodilus, which hijacks accessibility features for remote access and control, has spread globally and gained new features since its discovery in March 2025, according to Threat Fabric.

Crocodilus initially targeted victims in Turkey, where it is believed to have originated, and has expanded its reach to South America, the United States, parts of Asia and the rest of Europe.

In addition to imitating banking, cryptocurrency and e-commerce apps, Crocodilus was recently observed by Threat Fabric using Facebook ads to spread the malware, specifically targeting Polish users.

The malware is installed using a custom dropper that can bypass the Restricted Settings security feature on Android 13 and above, which normally prevents side-loaded apps (not from official app stores) from accessing frequently misused settings. This enables Crocodilus to leverage a device’s accessibility settings for control.  

Banking trojan captures financial details, gains remote control

Posing as a legitimate application, Crocodilus requests access to the device’s accessibility services — these services, designed to help users with disabilities navigate their device, can be abused by malware to manipulate the device and capture data displayed on the screen.

As Threat Fabric described when it first identified Crocodilus in late March, the malware continuously runs in the background, monitoring app launches and deploying overlays targeting banking and cryptocurrency apps. These overlays are designed to trick the user into submitting their credentials, which are captured and exfiltrated to the attacker.

Crocodilus captures information displayed on the device screen by hijacking accessibility features to identify all the elements on the screen and log accessibility events, including all text changes made by the user. This capability essentially enables Crocodilus to act as a keylogger, according to Threat Fabric.

Additional capabilities include the ability to trigger screen captures — which Crocodilus specifically uses to capture one-time passwords (OTPs) from Google Authenticator — and displaying black screens and muting the device to hide malicious actions.

 Ultimately, the attacker can leverage their remote control — using commands sent from an external server to swipe, click, and alter text — to use stolen credentials and logins to complete fraudulent transactions directly from the victim’s device.

Latest version alters victim’s contact list, homes in on crypto wallet details

The Crocodilus Android banking trojan has swiftly evolved over the last three months, adding additional capabilities in addition to its expanded worldwide targeting, Threat Fabric reported Tuesday.

The malware dropper and the malware itself now employ code-packing to better obfuscate their contents, and the malware payload also has additional XOR encryption to complicate analysis. The Threat Fabric researchers describe the latest Crocodilus code as “entangled” and “convoluted,” making it more difficult for security analysts to reverse engineer.

One of the notable new features is the ability for Crocodilus to create new contacts in the victim’s contact list — this is most likely meant to manipulate caller ID for future voice phishing (vishing) attacks, making it appear as though the malicious phone call is coming from a trusted contact.

Additionally, newer versions of the malware improve the collection of cryptocurrency details, adding a parser that pre-processes seed phrases and private keys from specific wallets for easier extraction.

As described in previous attacks, Crocodilus steals these important wallets details using an overlay that tricks users into opening these details for a “back up,” warning they may lose access to their wallet within 12 hours if they do not do so.