Android banking trojan Crocodilus rapidly evolves and goes global
June 03, 2025 
A new Android banking trojan called Crocodilus is being used in a growing number of campaigns targeting users in Europe and South America.
Crocodilus is a recently discovered Android banking trojan that is quickly gaining ground. What began as small test campaigns has now grown into full-blown attacks targeting users across Europe and South America. It spreads through malicious ads on social media and comes packed with dangerous features, like stealing seed phrases and creating fake contacts for scams. ThreatFabric researchers warn it is also harder to detect, thanks to improved hiding tactics.
Crocodilus activity is expanding beyond Turkey and now hitting several European countries and even South America. The researchers noticed a standout campaign that targeted users in Poland via fake banking and shopping apps. The malware was spread through Facebook ads offering fake reward points.
Though the ads were live for just 1 or 2 hours, they reached thousands before directing victims to a fake site that dropped the Crocodilus malware, bypassing Android 13+ protections.
The experts uncovered another campaign targeting Spanish users by posing as a browser update, aiming at nearly all major Spanish banks. Meanwhile, smaller campaigns show a broader, global focus, impersonating apps from countries like Argentina, Brazil, the U.S., Indonesia, and India.
Recent samples include enhanced obfuscation techniques like code packing and XOR encryption to evade detection. A new variant can now add fake contacts to a victim’s phone, like “Bank Support”, enabling social engineering attacks by making fraudulent calls appear legitimate and possibly bypassing fraud detection systems.
“A key feature update is the ability to modify the contact list on an infected device. Upon receiving the command “TRU9MMRHBCRO”, Crocodilus adds a specified contact to the victim’s contact list.” reads the report published by ThreatFabric.
“This further increases the attacker’s control over the device. We believe the intent is to add a phone number under a convincing name such as “Bank Support”, allowing the attacker to call the victim while appearing legitimate. This could also bypass fraud prevention measures that flag unknown numbers.”
The latest variant enhances its focus on cryptocurrency wallets by adding a parser that extracts seed phrases and private keys. The malicious code supports improved AccessibilityLogging and regex-based screen data parsing, it delivers clean, high-value data to attackers enabling easier account takeover and theft of crypto assets directly from targeted wallet apps.
“Notably, its campaigns are no longer regionally confined; the malware has extended its reach to new geographical areas, underscoring its transition into a truly global threat.” concludes the report tht includes indicators of compromise (IoCs).
This shift not only broadens the potential impact but also suggests a more organised and adaptive threat actor behind its deployment. As Crocodilus continues to evolve, organisations and users alike must stay vigilant and adopt proactive security measures to mitigate the risks posed by this increasingly sophisticated malware.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)