A recently discovered Android banking trojan called Crocodilus is being leveraged in a growing number of malicious global campaigns. This dangerous malware, as detailed in a new report from ThreatFabric, currently targets users in both Europe and South America. Crocodilus has also adopted significantly improved obfuscation techniques, which are specifically designed to hinder detailed analysis and active detection efforts. It was first publicly documented by security researchers in March 2025, initially targeting Android device users located in Spain and Turkey. The malware can launch overlay attacks against financial apps to harvest credentials and also abuses accessibility services to steal crypto seed phrases.
The latest findings from the cybersecurity firm ThreatFabric clearly demonstrate a significant expansion of the Crocodilus malware’s overall geographic operational scope. Its ongoing development is quite evident with many enhancements and new features, strongly indicating it is actively maintained by its sophisticated operators. Select campaigns aimed at users in Poland have been found to leverage bogus advertisements on Facebook as a primary distribution vector. These deceptive ads effectively lure victims to download a fake application by mimicking banks or popular e-commerce platforms to claim supposed bonus points. Users who attempt to download the app are then unfortunately directed to a malicious website that delivers the Crocodilus dropper payload.
New variants of Crocodilus now incorporate various advanced evasion techniques, including methods like code packing on the dropper component for stealth. A particularly notable new feature is the malware’s ability to add a specified fake contact to the victim’s contact list upon command. This clever tactic allows attackers to impersonate trusted entities such as “Bank Support,” making their subsequent calls appear entirely legitimate. This feature is suspected by researchers to be a direct countermeasure to new Android security protections regarding screen-sharing sessions with unknown contacts. The malware also now includes an automated seed phrase collector which uses a parser to extract private keys of cryptocurrency wallets.
The latest campaigns involving the Crocodilus Android banking trojan clearly signal a very concerning evolution in its overall technical sophistication. Its widespread campaigns are unfortunately no longer confined to specific limited regions; the malware has now extended its dangerous reach. This worrying expansion distinctly underscores its unfortunate transition into becoming a truly significant and widespread global cybersecurity threat to many Android users. Android users are therefore strongly advised to stick to Google Play or other trusted software publishers when downloading any applications. They should also ensure that Google Play Protect is always kept active and try to minimize the number of installed applications.
Reference:
