Crocodilus, an Android trojan initially detected in March 2025, has extended its campaign targeting both cryptocurrency users and banking clients across Europe and South America. Initially confined to Turkey, where it presented itself as online casino applications or spoofed bank apps to steal login information, Crocodilus has now infiltrated markets in Poland, Spain, Argentina, Brazil, Indonesia, India, and the United States, according to findings from ThreatFabric's Mobile Threat Intelligence (MTI) team.
Recent campaigns have particularly employed Facebook Ads to lure Polish users into downloading fake loyalty apps, redirecting them to malicious websites that installed the trojan despite Android 13+ security measures. In just one to two hours, these ads reached thousands of users, with a focus on individuals over 35.
Once installed, the trojan overlays counterfeit login pages on real banking and cryptocurrency applications. It notably masqueraded as a browser update in Spain, targeting major banks in the region. New capabilities include modifying infected devices' contact lists, allowing attackers to insert phone numbers labeled as “Bank Support” to aid social engineering schemes. Additionally, the updated malware can automatically collect seed phrases from cryptocurrency wallets, which allows attackers to quickly take control of accounts.
Developers have also fortified Crocodilus' defenses through advanced obfuscation techniques and features that complicate reverse engineering. Smaller campaigns have also emerged, targeting cryptocurrency mining tools and European digital banks. A report highlighted that malware used to drain cryptocurrency has become widely available, some available for rent at a low cost, underscoring the risks within the crypto ecosystem.
Recent campaigns have particularly employed Facebook Ads to lure Polish users into downloading fake loyalty apps, redirecting them to malicious websites that installed the trojan despite Android 13+ security measures. In just one to two hours, these ads reached thousands of users, with a focus on individuals over 35.
Once installed, the trojan overlays counterfeit login pages on real banking and cryptocurrency applications. It notably masqueraded as a browser update in Spain, targeting major banks in the region. New capabilities include modifying infected devices' contact lists, allowing attackers to insert phone numbers labeled as “Bank Support” to aid social engineering schemes. Additionally, the updated malware can automatically collect seed phrases from cryptocurrency wallets, which allows attackers to quickly take control of accounts.
Developers have also fortified Crocodilus' defenses through advanced obfuscation techniques and features that complicate reverse engineering. Smaller campaigns have also emerged, targeting cryptocurrency mining tools and European digital banks. A report highlighted that malware used to drain cryptocurrency has become widely available, some available for rent at a low cost, underscoring the risks within the crypto ecosystem.
