Crocodilus Android Trojan Spreads Globally, Gains New Features

HomeNews* A new Android banking trojan called Crocodilus is targeting users in Europe and South America.

• Crocodilus spreads through fake apps and online ads, and uses advanced techniques to avoid detection.
• The Malware can steal banking credentials, capture cryptocurrency wallet seed phrases, and create fake contacts.
• Attackers use Facebook ads and mimic real apps or services to trick users into downloading the malware.
• Crocodilus campaigns have expanded beyond Spain and Turkey to include countries like Poland, Brazil, Argentina, India, Indonesia, and the United States. A new wave of cyber attacks is using the Crocodilus banking trojan to target Android users across several countries, according to a report released by ThreatFabric. The malware, which first appeared in March 2025, is now active in Europe and South America, and has added new features to evade security measures.

• Advertisement - Crocodilus disguises itself as trusted apps such as Google Chrome and uses fake advertisements—especially on Facebook—to reach potential victims. In Poland, for example, scammers spread the malware by posing as banks and e-commerce platforms, offering “bonus points” that prompt users to download a malicious app. If the user installs it, Crocodilus is deployed on their device.

Once installed, Crocodilus can launch “overlay attacks” on a list of banking applications. An overlay attack is when malware displays a fake login page over a real banking app to steal user credentials. ThreatFabric also reports that the trojan exploits Android’s accessibility settings to capture cryptocurrency wallet seed phrases and private keys, putting digital assets at risk.

Recent versions of Crocodilus can create a new contact on a victim’s device with a convincing name, such as “Bank Support.” If attackers use this feature, they can call victims and bypass anti-fraud warnings that appear during unknown number interactions. According to ThreatFabric, “We believe the intent is to add a phone number under a convincing name such as ‘Bank Support,’ allowing the attacker to call the victim while appearing legitimate. This could also bypass fraud prevention measures that flag unknown numbers.”

The malware now reaches more countries, including Spain, Turkey, Argentina, Brazil, India, Indonesia, and the United States. It continues to update its code to block security analysis and reverse engineering. ThreatFabric notes that Crocodilus campaigns are evolving and spreading, which makes them a growing concern for Android users worldwide (more details here).

Previous Articles:

• SocGen-FORGE Expands EURCV Stablecoin with New BCB Markets Deal
• Editorial Criticizes Trump’s Profiting From Cryptocurrency Memecoin
• Hedera Sets Timeline to Deprecate Insecure HCS Mirror Endpoints
• Strategy Launches STRD Preferred Stock With 10% Yield, No Fees
• Google Chrome to Distrust Chunghwa Telecom, Netlock Certificates

• Advertisement -