The newest variation is an adaptation to a dangerous virus circulating for years
A newly evolved version of the Android banking trojan known as Crocodilus is spreading fast, now targeting cryptocurrency users and banking customers worldwide, according to cybersecurity firm ThreatFabric.
First spotted in March 2025, Crocodilus initially focused on Turkish users by disguising itself as legitimate banking or casino apps. Recent reports show the malware has significantly expanded its reach, launching attacks in countries including Poland, Spain, Argentina, Brazil, Indonesia, India, and the United States.
In one of the latest campaigns, Polish users were targeted via Facebook Ads promoting fake loyalty apps. Once clicked, users were redirected to malicious websites that installed a Crocodilus dropper capable of bypassing Android 13 security protections. Facebook’s ad transparency data indicated that these campaigns reached thousands of users within just a few hours, primarily focusing on people aged 35 and older.
Once installed, Crocodilus mimics a variety of legitimate services, overlaying fake login pages on banking and crypto apps to harvest user credentials. In Spain, it even disguised itself as a browser update, affecting nearly all major banks.
The malware has grown more sophisticated. It now has the ability to modify a user’s contact list by adding fake support numbers, likely to be used in social engineering scams. A key upgrade includes a feature that targets crypto wallet seed phrases and private keys, allowing attackers to collect crucial information needed to hijack digital assets quickly and efficiently.
Crocodilus also incorporates stronger obfuscation techniques, including packed code and complex logic, making it harder for analysts to detect or dismantle.
Smaller campaigns have been observed targeting crypto mining apps and digital banks, especially in Europe. These developments coincide with broader trends in cybercrime, where malware like crypto drainers are now being rented out for low prices, turning advanced digital theft into an accessible service.
The rising threat underscores growing concerns about mobile malware’s role in targeting financial data—especially in the rapidly growing crypto space.
