The Android banking trojan Crocodilus has initiated new operations aimed at cryptocurrency users and banking clients throughout Europe and South America.
Initially identified in March 2025, early samples of Crocodilus were predominantly confined to Turkey, where the malware pretended to be online casino applications or counterfeit banking apps to capture login details.
Recent operations indicate it is now targeting individuals in Poland, Spain, Argentina, Brazil, Indonesia, India, and the US, according to insights from ThreatFabric’s Mobile Threat Intelligence (MTI) team.
A campaign aimed at users in Poland utilized Facebook Ads to advertise fraudulent loyalty applications. Clicking on the ad redirected users to harmful sites that delivered a Crocodilus dropper, circumventing Android 13+ restrictions.
Facebook’s transparency data indicated that these advertisements reached thousands of users in a mere one to two hours, particularly targeting demographics over 35.
Related: Microsoft initiates legal proceedings against infostealer Lumma
Crocodilus targets banking and crypto applications
Once installed, Crocodilus overlays fraudulent login forms over authentic banking and cryptocurrency apps. It disguised itself as a browser update in Spain, aiming at nearly all major banks.
Apart from geographic growth, Crocodilus has incorporated new functionalities. A significant upgrade includes the capability to alter the contact lists of compromised devices, allowing attackers to insert phone numbers identified as “Bank Support,” potentially facilitating social engineering attacks.
Another notable enhancement is the automated seed phrase collector specifically aimed at cryptocurrency wallets. The Crocodilus malware can now retrieve seed phrases and private keys with improved accuracy, supplying attackers with pre-processed information for swift account takeovers.
In parallel, developers have fortified Crocodilus’ defenses through enhanced obfuscation. The latest version features compressed code, additional XOR encryption, and deliberately complex logic to deter reverse engineering.
MTI analysts have also spotted smaller campaigns directed at cryptocurrency mining applications and European digital banking institutions.
“Similar to its predecessor, the new variant of Crocodilus pays substantial attention to cryptocurrency wallet applications,” the report noted. “This variant was equipped with an extra parser, assisting in the extraction of seed phrases and private keys from specific wallets.”
Related: COLDRIVER employs new malware to steal from Western targets — Google
Crypto drainers marketed as malware
In an April 22 report, the crypto forensics and compliance company AMLBot disclosed that crypto drainers, malware created to pilfer cryptocurrency, have become more accessible as the ecosystem transforms into a software-as-a-service model.
The report indicated that malware distributors can lease a drainer for as little as 100-300 USDt (USDT).
On May 19, it was revealed that the Chinese printer company Procolored had distributed Bitcoin-stealing malware alongside its official drivers.
Magazine: Relocate to Portugal to become a crypto digital nomad — Everybody else is
