In a concerning development for Android users, cybersecurity firms Threat Fabric and Cyble Research and Intelligence Labs (CRIL) have reported the emergence of two sophisticated malware families, Crocodilus and TsarBot, that are targeting mobile devices with alarming efficiency. Both malware variants employ advanced techniques to compromise users' sensitive information, particularly focusing on banking and cryptocurrency applications.
On March 28, 2025, Threat Fabric released a report detailing the discovery of Crocodilus, a newly identified family of mobile malware that specifically targets Android users. This malware employs a deceptive screen overlay to trick users into providing their cryptocurrency seed phrases, which are crucial for accessing digital wallets. According to Threat Fabric, the malware warns victims to back up their crypto wallet key within a set deadline of 12 hours or risk losing access altogether. The report states, “Once a victim provides a password from the application, the overlay will display a message: Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset, and you may lose access to your wallet.”
This social engineering tactic leads victims to navigate to their seed phrase wallet key, allowing Crocodilus to harvest this sensitive information using its accessibility logger. Once the threat actors obtain the seed phrase, they can gain complete control of the wallet and drain it entirely. Threat Fabric emphasized that despite being a new entrant in the malware landscape, Crocodilus exhibits features typical of modern banking malware, including overlay attacks and advanced data harvesting capabilities.
Initial infections occur when users inadvertently download the malware bundled within other software that bypasses Android 13 security measures. Once installed, Crocodilus requests users to enable accessibility services, granting hackers access to the device. Threat Fabric explained, “Once granted, the malware connects to the command-and-control (C2) server to receive instructions, including the list of target applications and the overlays to be used.” This connection allows the malware to monitor app launches continuously, displaying overlays to intercept user credentials.
When a targeted banking or cryptocurrency application is opened, the fake overlay appears, mutes the sound, and allows the hackers to take control of the device. “With stolen PII and credentials, threat actors can take full control of a victim’s device using built-in remote access, completing fraudulent transactions without detection,” Threat Fabric noted. The malware primarily targets users in Turkey and Spain, with indications that the developers may speak Turkish based on notes found in the code. This suggests that the threat could expand beyond its current geographical focus.
In addition to Crocodilus, CRIL has identified another formidable Android banking malware known as TsarBot, which is targeting over 750 applications globally. TsarBot utilizes similar overlay attacks and phishing techniques to intercept sensitive credentials and execute fraudulent transactions. It spreads through phishing sites that imitate legitimate financial platforms, distributing a dropper disguised as Google Play Services. Once installed, TsarBot employs overlay attacks by displaying fake login pages over legitimate applications, tricking users into entering sensitive information such as banking credentials and credit card details.
Moreover, TsarBot captures device lock credentials via a fake lock screen to gain full control over the device. The malware communicates with its command-and-control (C&C) server using WebSocket protocols, allowing attackers to remotely control the infected device’s screen and simulate user actions like swiping and tapping. This enables them to execute fraudulent transactions while concealing their activities behind a black overlay screen.
According to CRIL, TsarBot leverages accessibility services to enhance its malicious operations, allowing it to record screens, intercept SMS messages, and perform keylogging to collect sensitive information. The malware identifies installed applications on the infected device and checks them against a target list received from the C&C server. If a match is found, it retrieves injection pages that mimic legitimate apps, prompting users to enter confidential details.
Additionally, TsarBot employs lock-grabbing techniques to detect the device’s lock type, such as PINs or patterns, and loads a fake lock screen to capture these credentials. By combining overlay attacks with screen recording and lock grabbing, TsarBot executes on-device fraud with high precision, targeting banking apps across regions including North America, Europe, Asia-Pacific, the Middle East, and Australia. Its reach extends beyond financial applications to include social media platforms and e-commerce sites, highlighting the persistent threat posed by banking trojans in today’s digital landscape.
Both Crocodilus and TsarBot represent significant evolutions in Android malware tactics, exploiting accessibility features and overlay attacks to target sensitive financial data. Their emergence underscores the need for heightened vigilance against phishing campaigns and advanced mobile threats. Cybersecurity experts recommend that users remain cautious and informed about potential risks, ensuring they only download applications from trusted sources and regularly update their security settings to mitigate these threats.
As the landscape of mobile threats continues to evolve, staying aware of these sophisticated tactics is essential for protecting personal and financial information. With both Crocodilus and TsarBot on the rise, users must take proactive measures to safeguard their devices and data against these formidable adversaries.
