A growing number of malicious campaigns now leverage a recently discovered Android banking trojan called Crocodilus to target users in Europe and South America.
According to a new report published by ThreatFabric, the malware has also adopted improved obfuscation techniques to hinder analysis and detection. Additionally, it includes the ability to create new contacts in the victim’s contacts list.
Furthermore, the Dutch security company stated, “Recent activity reveals multiple campaigns now targeting European countries while continuing Turkish campaigns and expanding globally to South America.”
The Trojan
Crocodilus first appeared publicly in March 2025, targeting Android device users in Spain and Turkey by masquerading as legitimate apps like Google Chrome. The malware also comes equipped with capabilities to launch overlay attacks against a list of financial apps retrieved from an external server, allowing it to harvest credentials.
Moreover, it abuses accessibility services permissions to capture seed phrases associated with cryptocurrency wallets. Cybercriminals can then use these phrases to drain virtual assets stored in them.
The latest findings from ThreatFabric highlight both the malware’s expanding geographic reach and its ongoing development. These enhancements and new features clearly show that its operators continue to actively maintain it.
In select campaigns aimed at Poland, threat actors have used bogus Facebook ads as a distribution vector by mimicking banks and e-commerce platforms. These deceptive ads entice victims to download an app to claim supposed bonus points. Once users attempt to download the app, the campaign redirects them to a malicious site that delivers the Crocodilus dropper.
Crocodilus goes global
Other attack waves targeting Spanish and Turkish users have disguised themselves as a web browser update and an online casino. In addition, the malware has also singled out users in Argentina, Brazil, India, Indonesia, and the United States.
Alongside incorporating various obfuscation techniques to complicate reverse engineering efforts, new variants of Crocodilus can now add a specified contact to the victim’s contact list when they receive the command “TRU9MMRHBCRO.”
Researchers suspect that this feature serves as a countermeasure to new security protections introduced by Google in Android. These protections alert users of possible scams when they launch banking apps during a screen-sharing session with an unknown contact.
ThreatFabric explained, “We believe the intent is to add a phone number under a convincing name such as ‘Bank Support,’ allowing the attacker to call the victim while appearing legitimate. This could also bypass fraud prevention measures that flag unknown numbers.”
Moreover, another newly introduced feature is an automated seed phrase collector that uses a parser to extract seed phrases and private keys from specific cryptocurrency wallets.
According to the company, “The latest campaigns involving the Crocodilus Android banking Trojan signal a concerning evolution in both the malware’s technical sophistication and its operational scope.”
Notably, its campaigns no longer remain regionally confined. Instead, the malware has expanded its reach to new geographical areas, clearly underscoring its transition into a truly global threat.
Source: TheHackerNews
Read more at Impreza News
