Recent activities, however, indicate that the Trojan has extended its scope, striking victims in Poland, Spain, Argentina, Brazil, Indonesia, India, and the US, as per the latest data from ThreatFabric’s Mobile Threat Intelligence (MTI) team.

In Poland, the malware exploited Facebook Ads to circulate deceptive loyalty apps. Users who clicked on the advertisement were redirected to harmful websites that delivered a Crocodilus dropper, evading Android 13+ security measures. Facebook’s transparency data reveals that these ads reached thousands of users within one to two hours, primarily targeting those aged 35 and above.

Once installed, Crocodilus overlays fraudulent login screens over authentic banking and crypto apps. In Spain, it poses as a browser update, targeting nearly all major banks. Apart from its geographical expansion, Crocodilus has also acquired new skills. These include the ability to alter infected devices’ contact lists, enabling hackers to add phone numbers labeled as “Bank Support” for potential social engineering attacks.

Another significant enhancement is an automated seed phrase collector targeting cryptocurrency wallets. The Crocodilus malware is now capable of extracting seed phrases and private keys more accurately, providing attackers with pre-processed data for quick account takeovers.

The developers have also bolstered Crocodilus’ defenses with deeper obfuscation. The newest variant combines packed code, extra XOR encryption, and deliberately complex logic to thwart reverse engineering. MTI analysts have also noted smaller campaigns focusing on cryptocurrency mining apps and European digital banks as part of Crocodilus’ increasing interest in crypto.

Related to this, an April 22 report by crypto forensics and compliance firm AMLBot disclosed that crypto drainers, malware designed to pilfer cryptocurrency, are becoming more accessible as the ecosystem evolves towards a software-as-a-service business model.

The report revealed that malware spreaders can rent a drainer for as little as 100 to 300 USDt (USDT). On May 19, it was disclosed that Procolored, a Chinese printer manufacturer, had been distributing Bitcoin-stealing malware along with its official drivers, using USB drivers to distribute contaminated software and uploading the compromised software to cloud storage for global access.

The post Crocodilus Malware Expands Reach Globally, Targets Crypto and Banking Platforms appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.

These counterfeit Android devices are being sold at discounted rates, but they come preinfected with a variant of the notorious Triada Trojan. This malware infects every function of the phone, providing the hackers with virtually limitless control over the device, warned Kaspersky in their April 1 statement.

Dmitry Kalinin, a cybersecurity specialist at Kaspersky, explained that the Trojan allows the perpetrators to steal cryptocurrency by switching wallet addresses once access to the device is granted. “The creators of the new Triada variant are reaping significant financial benefits. Based on transaction analysis, they’ve managed to funnel roughly $270,000 in multiple cryptocurrencies into their crypto wallets,” he shared.

However, the real figure could be much larger, as the attackers also targeted Monero, a cryptocurrency renowned for its anonymity. The Trojan also has the ability to pilfer user account details and intercept all text messages, including two-factor authentication.

The Trojan infiltrates smartphone firmware before the device even reaches consumers. Some online vendors may unsuspectingly be selling these infected phones. “The supply chain is likely compromised at some point, so sellers may unknowingly be vending smartphones infected with Triada,” Kalinin conjectured.

As of now, Kaspersky researchers have detected 2,600 instances of this scam across several countries. The majority of these cases were encountered in Russia in the first quarter of 2025.

First discovered in 2016, the Triada malware is notorious for targeting financial apps and messaging services like WhatsApp, Facebook, and Google Mail. It is typically spread via malicious downloads and phishing schemes, according to cybersecurity firm Darktrace.

“The Triada Trojan has been around for a while and continues to be one of the most sophisticated and potent threats to Android,” emphasized Kalinin. Kaspersky Labs advises consumers to protect themselves by purchasing devices only from authorized distributors and immediately installing security solutions after purchase.

Other cybersecurity firms have been flagging novel forms of malware targeting crypto users. On March 28, Threat Fabric reported finding a new malware family that baits Android users into revealing their crypto seed phrases by launching a misleading overlay as it assumes control of the device.

Earlier, on March 18, tech behemoth Microsoft discovered a new remote access trojan (RAT) that targets cryptocurrency stored in 20 wallet extensions for the Google Chrome browser.

The post Beware of Fraudulent Phones Preloaded with Crypto-Stealing Malware appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.