Crocodilus Android Trojan Expands Globally with Enhanced Features

A recently discovered Android banking trojan, dubbed Crocodilus, is rapidly expanding its reach, now targeting users in Europe, South America, and beyond. Originally confined to Spain and Turkey, the malware has evolved significantly, both in technical sophistication and geographic scope, according to a new report from ThreatFabric, a Dutch cybersecurity company specializing in mobile threat intelligence.

Key Findings

• Crocodilus is being distributed through social engineering, often disguised as legitimate apps or updates.

• The malware now includes advanced obfuscation techniques, making it harder to detect or analyze.

• It is capable of:

  • Harvesting banking credentials via overlay attacks

  • Capturing cryptocurrency wallet seed phrases

  • Adding new contacts to the victim’s device for potential scam impersonation

Initial Discovery and Evolution

Crocodilus was first observed in March 2025, targeting Android users in Spain and Turkey by posing as well-known apps such as Google Chrome. The malware abuses Android Accessibility Services to:

• Record user input

• Monitor on-screen activity

• Capture sensitive information such as banking credentials and cryptocurrency wallet seed phrases

Overlay attacks are employed to present fake login screens over legitimate banking apps, tricking users into entering their usernames and passwords.

Expanded Geographic Targeting

According to ThreatFabric, Crocodilus has broadened its target list to include countries such as:

• Poland

• Argentina

• Brazil

• India

• Indonesia

• The United States

Distribution Techniques

In Poland, bogus Facebook ads are used to lure users into downloading fake banking or e-commerce apps. These ads redirect victims to malicious websites hosting the Crocodilus dropper, which installs the trojan on their devices.

Other campaigns targeting Spain and Turkey have employed fake browser updates and fraudulent online casinos as cover.

New Technical Capabilities

1. Contact Insertion Feature

Crocodilus can now add contacts to the victim's contact list upon receiving a command labeled "TRU9MMRHBCRO". This functionality is believed to be a workaround for Google's scam warnings during screen-sharing sessions with unknown numbers.

This tactic could also evade fraud detection systems that flag interactions with unfamiliar phone numbers.

2. Automated Seed Phrase Collector

A newly integrated parser enables the malware to automatically extract seed phrases and private keys from cryptocurrency wallets. This could allow attackers to drain virtual assets with minimal user interaction.

Advanced Obfuscation

To make analysis more difficult, the trojan now includes layered obfuscation. These techniques are designed to:

• Prevent detection by mobile security software

• Hinder reverse engineering by security researchers

This makes it more difficult for cybersecurity teams to develop reliable signatures and behavioral rules to detect and block the malware.

Global Threat Outlook

Crocodilus represents a significant step in the evolution of mobile banking malware. What began as a regional threat has quickly become a global concern due to its:

• Modular architecture

• Scalable delivery methods

• Steady stream of feature updates

Mitigation and User Advice

To protect against Crocodilus and similar mobile threats:

• Only download apps from official app stores (e.g., Google Play)

• Avoid clicking on links in unsolicited messages or ads

• Review app permissions carefully—especially requests for accessibility services

• Use reputable mobile security software

• Stay updated on emerging threats from verified security sources

As cybercriminals continue to exploit mobile ecosystems, understanding these evolving tactics is key to defending against them. Crocodilus is a clear indicator that banking malware is becoming more deceptive, persistent, and globally distributed than ever before.