Crocodilus malware goes global with new crypto, banking heist features

Android banking trojan Crocodilus has launched new campaigns targeting crypto users and banking customers across Europe and South America.

First detected in March 2025, early Crocodilus samples were largely limited to Turkey, where the malware posed as online casino apps or spoofed bank apps to steal login credentials.

However, recent campaigns show the Trojan expanding its reach, now hitting targets in Poland, Spain, Argentina, Brazil, Indonesia, India and the US, according to new findings from ThreatFabric’s Mobile Threat Intelligence (MTI) team.

A campaign targeting Polish users tapped Facebook Ads to promote fake loyalty apps. Clicking the ad redirected users to malicious sites, delivering a Crocodilus dropper, which bypasses Android 13+ restrictions.

Facebook transparency data revealed that these ads reached thousands of users in just one to two hours, with a focus on audiences over 35.

Crocodilus targets banking and crypto apps

Once installed, Crocodilus overlays fake login pages on top of legitimate banking and crypto apps. It masquerades as a browser update in Spain, targeting nearly all major banks.

Beyond geographic expansion, Crocodilus has added new capabilities. One notable upgrade is the ability to modify infected devices’ contact lists, enabling attackers to insert phone numbers labeled as “Bank Support,” which could be used for social engineering attacks.

Another key enhancement is an automated seed phrase collector aimed at cryptocurrency wallets. The Crocodilus malware can now extract seed phrases and private keys with greater precision, feeding attackers pre-processed data for fast account takeovers.

Meanwhile, developers have strengthened Crocodilus’ defenses through deeper obfuscation. The latest variant features packed code, additional XOR encryption, and intentionally convoluted logic to resist reverse engineering.

MTI analysts also observed smaller campaigns targeting cryptocurrency mining apps and European digital banks amid Crocodilus’ growing focus on crypto.

“Just like its predecessor, the new variant of Crocodilus pays a lot of attention to cryptocurrency wallet apps,” the report said. “This variant was equipped with an additional parser, helping to extract seed phrases and private keys of specific wallets.”

Related: COLDRIVER using new malware to steal from Western targets — Google

Crypto drainers sold as malware

In an April 22 report, crypto forensics and compliance firm AMLBot revealed that crypto drainers, malware designed to steal cryptocurrency, have become easier to access as the ecosystem evolves into a software-as-a-service business model.

The report revealed that malware spreaders can rent a drainer for as little as 100 to 300 USDt (USDT).

On May 19, it was revealed that Chinese printer manufacturer Procolored distributed Bitcoin-stealing malware alongside its official drivers. The company reportedly used USB drivers to distribute malware-ridden drivers and uploaded the compromised software to cloud storage for global download.