Crocodilus, a new device-takeover Android banking Trojan, was discovered in March 2025. Now, signs show that this malware has evolved into a more dangerous and global threat – not only to crypto users.
Threat Fabric, a provider of cybersecurity solutions, discovered the malware. It now says that Crocodilus has expanded into more countries, with malicious advertising campaigns distributing it via social networks. Improved obfuscation techniques have also been introduced.
Moreover, the criminals behind the malware have developed new Crocodilus features such as the ability to create new contacts in the victim's contact list and an automated crypto seed phrase collector.
According to Threat Fabric, the new version of Crocodilus has an additional parser, which helps extract crypto seed phrases, phrases that give you access to a wallet, and private keys stored in crypto wallets themselves.
"With additional parsing done on the device side, threat actors receive high-quality preprocessed data, ready to use in fraudulent operations like Account Takeover, targeting cryptocurrency assets of victims," the researchers said.
Meanwhile, the ability to create new contacts in a contact list allows criminals to run social engineering campaigns to steal funds.
"We believe the intent is to add a phone number under a convincing name such as 'Bank Support,' allowing the attacker to call the victim while appearing legitimate. This could also bypass fraud prevention measures that flag unknown numbers," according to the researchers.
Examples found in Poland, Turkey, and Spain demonstrate how this malware is distributed. In Poland, mimicking the apps of banks and e-commerce platforms, the malware was promoted via Facebook Ads, urging users to download the app and claim bonus points, Threat Fabric said. It added that while these advertisements were live for just 1-2 hours, each was shown more than a thousand times.
Moreover, once the malware was downloaded from a fraudulent website, it was said to be able to bypass Android 13+ restrictions.
In the meantime, in Turkey, Crocodilus is targeting users of major banks and crypto platforms and pretending to be an online casino. Meanwhile, in Spain, it disguises itself as a browser update.
The researchers also found that smaller campaigns with very "global" target lists involved apps from Argentina, Brazil, Spain, the US, Indonesia, and India.
Your email address will not be published. Required fields are markedmarked