Once installed and launched, the app requests permission to Android’s accessibility services, after which contact is established with a remote server to receive further instructions, the list of financial applications to be targeted, and the HTML overlays to be used to steal credentials. Crocodilus is also capable of targeting cryptocurrency wallets with an overlay that, instead of serving a fake login page to capture login information, shows an alert message urging victims to backup their seed phrases within 12, or else risk losing access to their wallets.

Archive link: https://archive.is/idZEc