Crocodilus, a notorious Android banking trojan, has broadened its malicious campaigns to target cryptocurrency users and banking clients in Europe and South America. First identified in Turkey in March 2025, initial Crocodilus instances primarily masqueraded as online casino apps or counterfeit bank apps to capture login details.
Recent activities, however, indicate that the Trojan has extended its scope, striking victims in Poland, Spain, Argentina, Brazil, Indonesia, India, and the US, as per the latest data from ThreatFabric’s Mobile Threat Intelligence (MTI) team.
In Poland, the malware exploited Facebook Ads to circulate deceptive loyalty apps. Users who clicked on the advertisement were redirected to harmful websites that delivered a Crocodilus dropper, evading Android 13+ security measures. Facebook’s transparency data reveals that these ads reached thousands of users within one to two hours, primarily targeting those aged 35 and above.
Once installed, Crocodilus overlays fraudulent login screens over authentic banking and crypto apps. In Spain, it poses as a browser update, targeting nearly all major banks. Apart from its geographical expansion, Crocodilus has also acquired new skills. These include the ability to alter infected devices’ contact lists, enabling hackers to add phone numbers labeled as “Bank Support” for potential social engineering attacks.
Another significant enhancement is an automated seed phrase collector targeting cryptocurrency wallets. The Crocodilus malware is now capable of extracting seed phrases and private keys more accurately, providing attackers with pre-processed data for quick account takeovers.
The developers have also bolstered Crocodilus’ defenses with deeper obfuscation. The newest variant combines packed code, extra XOR encryption, and deliberately complex logic to thwart reverse engineering. MTI analysts have also noted smaller campaigns focusing on cryptocurrency mining apps and European digital banks as part of Crocodilus’ increasing interest in crypto.
Related to this, an April 22 report by crypto forensics and compliance firm AMLBot disclosed that crypto drainers, malware designed to pilfer cryptocurrency, are becoming more accessible as the ecosystem evolves towards a software-as-a-service business model.
The report revealed that malware spreaders can rent a drainer for as little as 100 to 300 USDt (USDT). On May 19, it was disclosed that Procolored, a Chinese printer manufacturer, had been distributing Bitcoin-stealing malware along with its official drivers, using USB drivers to distribute contaminated software and uploading the compromised software to cloud storage for global access.
