A rising variety of malicious campaigns have leveraged a not too long ago found Android banking trojan referred to as Crocodilus to focus on customers in Europe and South America.
The malware, in accordance with a brand new report printed by ThreatFabric, has additionally adopted improved obfuscation methods to hinder evaluation and detection, and contains the flexibility to create new contacts within the sufferer’s contacts checklist.
“Latest exercise reveals a number of campaigns now focusing on European nations whereas persevering with Turkish campaigns and increasing globally to South America,” the Dutch safety firm mentioned.
Crocodilus was first publicly documented in March 2025 as focusing on Android machine customers in Spain and Turkey by masquerading as respectable apps like Google Chrome. The malware comes fitted with capabilities to launch overlay assaults towards a listing of economic apps retrieved from an exterior server to reap credentials.
It additionally abuses accessibility companies permissions to seize seed phrases related to cryptocurrency wallets, which might then be used to empty digital property saved in them.
The most recent findings from ThreatFabric exhibit an enlargement of the malware’s geographic scope in addition to ongoing improvement with enhancements and new options, indicating that it is being actively maintained by the operators.
Choose campaigns aimed toward Poland have been discovered to leverage bogus adverts on Fb as a distribution vector by mimicking banks and e-commerce platforms. These adverts lure victims to obtain an app to say supposed bonus factors. Customers who try to obtain the app are directed to a malicious website that delivers the Crocodilus dropper.
Different assault waves focusing on Spanish and Turkish customers have disguised themselves as an internet browser replace and an internet on line casino. Argentina, Brazil, India, Indonesia, and america are among the many different nations which were singled out by the malware.
Along with incorporating numerous obfuscation methods to complicate reverse engineering efforts, new variants of Crocodilus have the flexibility so as to add a specified contact to the sufferer’s contact checklist upon receiving the command “TRU9MMRHBCRO.”
It is suspected that the function is designed as a countermeasure to new safety protections that Google has launched in Android that alerts customers of potential scams when launching banking apps throughout a screen-sharing session with an unknown contact.
“We imagine the intent is so as to add a cellphone quantity underneath a convincing title resembling ‘Financial institution Help,’ permitting the attacker to name the sufferer whereas showing respectable. This might additionally bypass fraud prevention measures that flag unknown numbers,” ThreatFabric mentioned.
One other new function is an automatic seed phrase collector that makes use of a parser to extract seed phrases and personal keys of particular cryptocurrency wallets.
“The most recent campaigns involving the Crocodilus Android banking Trojan sign a regarding evolution in each the malware’s technical sophistication and its operational scope,” the corporate mentioned. “Notably, its campaigns are not regionally confined; the malware has prolonged its attain to new geographical areas, underscoring its transition into a very world risk.”
Replace
Following the publication of the story, a Google spokesperson shared the beneath assertion with The Hacker Information –
Primarily based on our present detection, no apps containing this malware are discovered on Google Play. Android customers are robotically protected by Google Play Shield, which is on by default on Android gadgets with Google Play Providers. Google Play Shield can warn customers or block apps identified to exhibit malicious conduct, even when these apps come from sources outdoors of Play.
(The story was up to date after publication to incorporate a response from Google.)
