A dangerous new Android banking trojan, dubbed Crocodilus, has significantly expanded its operations, now actively targeting users in eight countries across Europe and South America. This sophisticated malware is designed to steal sensitive financial information, including banking credentials and cryptocurrency wallet seed phrases, posing a severe threat to mobile device security.

The Evolving Threat of Crocodilus

• Initially documented in March 2025, Crocodilus first targeted users in Spain and Turkey.

• Recent reports from ThreatFabric indicate a global expansion, now impacting countries like Poland, Argentina, Brazil, India, Indonesia, and the United States.

• The malware is actively maintained, with operators continuously adding new features and improving obfuscation techniques to evade detection.

How Crocodilus Operates

Crocodilus employs a multi-faceted approach to compromise Android devices and steal data:

• Distribution: Primarily spread via malicious websites, fake advertisements on platforms like Facebook, social media, text messages, and third-party Android app stores. It often masquerades as legitimate apps or updates.

• Social Engineering: Lures victims with prompts to update wallet keys or claim bonus points, directing them to download the malicious dropper.

• Advanced Capabilities:Overlay Attacks: Displays fake login screens over legitimate banking and crypto apps to steal credentials.Accessibility Service Abuse: Exploits Android's Accessibility Service to capture seed phrases, monitor app launches, and perform navigation movements.Keylogging: Records keystrokes to capture sensitive information.Remote Access Trojan (RAT) Functionality: Allows attackers to remotely control the device, take screenshots (e.g., of Google Authenticator), and execute commands.Extensive Command Set: Capable of executing 23 commands, including call forwarding, launching specific apps, sending push notifications, and managing text messages.

New Features and Tactics

Recent variants of Crocodilus showcase enhanced sophistication:

• Improved Obfuscation: Makes analysis and detection more challenging for security researchers.

• Contact List Manipulation: Can add specified contacts (e.g., "Bank Support") to the victim's contact list, potentially to bypass fraud prevention measures during screen-sharing sessions or make malicious calls appear legitimate.

• Automated Seed Phrase Collection: Utilizes a parser to automatically extract seed phrases and private keys from specific cryptocurrency wallets.

Protecting Yourself

Given the widespread and evolving nature of the Crocodilus threat, Android users are strongly advised to take precautions:

• Avoid Third-Party Downloads: Only download applications from the official Google Play Store.

• Enable Play Protect: Ensure Google Play Protect is always active on your device.

• Be Wary of Prompts: Exercise extreme caution with unsolicited prompts to update apps or wallet keys, especially those threatening loss of access.

• Verify Sources: Double-check the legitimacy of websites and advertisements before clicking on links or downloading files.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• How the Crocodilus malware robs cryptowallets, Techzine Europe.

• Android Trojan Crocodilus Now Active in 8 Countries, Targeting Banks and Crypto Wallets, The Hacker News.