{"id":12717,"date":"2025-06-03T15:44:34","date_gmt":"2025-06-03T13:44:34","guid":{"rendered":"https:\/\/wsj-crypto.com\/?p=12717"},"modified":"2025-06-03T15:44:34","modified_gmt":"2025-06-03T13:44:34","slug":"crocodilus-android-trojan-unleashes-new-crypto-wallet-theft-tactics-in-global-expansion","status":"publish","type":"post","link":"https:\/\/wsj-crypto.com\/index.php\/2025\/06\/03\/crocodilus-android-trojan-unleashes-new-crypto-wallet-theft-tactics-in-global-expansion\/","title":{"rendered":"Crocodilus Android Trojan Unleashes New Crypto Wallet Theft Tactics in Global Expansion"},"content":{"rendered":"

<\/p>\n

\n

The Android banking trojan Crocodilus has initiated new operations aimed at cryptocurrency users and banking clients throughout Europe and South America.<\/p>\n

Initially identified in March 2025<\/a>, early samples of Crocodilus were predominantly confined to Turkey, where the malware pretended to be online casino applications or counterfeit banking apps to capture login details.<\/p>\n

Recent operations indicate it is now targeting individuals in Poland, Spain, Argentina, Brazil, Indonesia, India, and the US, according<\/a> to insights from ThreatFabric\u2019s Mobile Threat Intelligence (MTI) team.<\/p>\n

A campaign aimed at users in Poland utilized Facebook Ads to advertise fraudulent loyalty applications. Clicking on the ad redirected users to harmful sites that delivered a Crocodilus dropper, circumventing Android 13+ restrictions.<\/p>\n

Facebook’s transparency data indicated that these advertisements reached thousands of users in a mere one to two hours, particularly targeting demographics over 35.<\/p>\n

Crocodilus malware is expanding its global reach. Source: ThreatFabric<\/em><\/figcaption><\/figure>\n

Related: <\/strong><\/em>Microsoft initiates legal proceedings against infostealer Lumma<\/strong><\/em><\/a><\/p>\n

Crocodilus targets banking and crypto applications<\/h2>\n

Once installed, Crocodilus overlays fraudulent login forms over authentic banking and cryptocurrency apps. It disguised itself as a browser update in Spain, aiming at nearly all major banks.<\/p>\n

Apart from geographic growth, Crocodilus has incorporated new functionalities. A significant upgrade includes the capability to alter the contact lists of compromised devices, allowing attackers to insert phone numbers identified as \u201cBank Support,\u201d potentially facilitating social engineering attacks.<\/p>\n

Another notable enhancement is the automated seed phrase collector specifically aimed at cryptocurrency wallets. The Crocodilus malware can now retrieve<\/a> seed phrases and private keys with improved accuracy, supplying attackers with pre-processed information for swift account takeovers.<\/p>\n

In parallel, developers have fortified Crocodilus\u2019 defenses through enhanced obfuscation. The latest version features compressed code, additional XOR encryption, and deliberately complex logic to deter reverse engineering.<\/p>\n

MTI analysts have also spotted smaller campaigns directed at cryptocurrency mining applications and European digital banking institutions.<\/p>\n

\u201cSimilar to its predecessor, the new variant of Crocodilus pays substantial attention to cryptocurrency wallet applications,\u201d the report noted. \u201cThis variant was equipped with an extra parser, assisting in the extraction of seed phrases and private keys from specific wallets.\u201d<\/p>\n

\"\"
Source: ThreatFabric<\/em><\/figcaption><\/figure>\n

Related: <\/strong><\/em>COLDRIVER employs new malware to steal from Western targets \u2014 Google<\/strong><\/em><\/a><\/p>\n

Crypto drainers marketed as malware<\/h2>\n

In an April 22 report, the crypto forensics and compliance company AMLBot disclosed that crypto drainers, malware created to pilfer cryptocurrency, have become more accessible as the ecosystem transforms into a software-as-a-service model<\/a>.<\/p>\n

The report indicated that malware distributors can lease a drainer for as little as 100-300 USDt (USDT<\/a>).<\/p>\n

On May 19, it was revealed that the Chinese printer company Procolored had distributed Bitcoin-stealing malware<\/a> alongside its official drivers.<\/p>\n

Magazine: <\/strong><\/em>Relocate to Portugal to become a crypto digital nomad \u2014 Everybody else is<\/strong><\/em><\/a><\/p>\n