A sophisticated Android banking Trojan named Crocodilus is intensifying its global footprint, now targeting users in eight countries across Europe and South America. First identified in March 2025, the malware has evolved rapidly, employing advanced obfuscation techniques and new features to steal banking credentials and cryptocurrency wallet seed phrases.
According to recent cybersecurity research, Crocodilus is actively targeting financial institutions and crypto platforms, exploiting Android’s accessibility services to execute overlay attacks and remote device takeovers. Its expansion from initial campaigns in Spain and Turkey to countries like Poland, Brazil, and Argentina highlights its growing threat to mobile users worldwide.
Evolving Tactics and Global Expansion
Crocodilus has demonstrated significant advancements since its discovery, with recent campaigns showing enhanced capabilities to evade detection. The malware disguises itself as legitimate applications, such as Google Chrome or online casino apps, to trick users into downloading a malicious dropper that bypasses Android 13+ security restrictions.
In Poland, attackers have leveraged deceptive Facebook ads mimicking banks and e-commerce platforms, luring victims with fake bonus point offers. Similar campaigns in Spain and Turkey pose as browser updates or gambling apps, while new targets include Argentina, Brazil, India, Indonesia, and the United States, signaling a shift toward a broader, global operation.
ALSO READ | Meta's Bold Plan to Revolutionize Advertising with AI by 2026
Advanced Features Fuel Financial Theft
The Trojan’s latest variants introduce alarming features, including the ability to add fake contacts to a victim’s phone under names like “Bank Support.” This tactic, triggered by the command “TRU9MMRHBCRO,” is believed to bypass Android’s scam detection alerts by making attacker calls appear legitimate.
Additionally, Crocodilus employs an automated seed phrase collector, using a parser to extract cryptocurrency wallet keys, enabling attackers to drain digital assets. Real-time data indicates the malware targets high-value wallets, such as Coinbase Wallet and MetaMask, with fake overlays prompting users to enter sensitive information under the guise of urgent security backups.
Did You Know?
Crocodilus is named after crocodile references in its code, reflecting the predatory nature of its attacks on unsuspecting Android users.
Social Engineering and Stealth Techniques
Crocodilus stands out for its use of social engineering, displaying fake warnings that urge users to back up their wallet keys within 12 hours to avoid losing access. These prompts trick victims into revealing seed phrases, which are captured via an accessibility logger.
The malware also uses black screen overlays and mutes device audio to conceal its activities, making it appear as if the phone is locked. With 23 remote commands, including SMS takeover and screen recording, Crocodilus can capture two-factor authentication codes from apps like Google Authenticator, further compromising user security.
Comments (0)
Please sign in to leave a comment
No comments yet. Be the first to share your thoughts!