Crocodilus Android Trojan Adds Crypto Wallet Heist Tools in Global Expansion
The Android banking trojan Crocodilus has expanded its campaigns to target crypto users and banking customers in Europe and South America since its initial detection in March 2025. Initially limited to Turkey, it now affects countries including Poland, Spain, Argentina, Brazil, Indonesia, India, and the US. Recent campaigns utilized Facebook Ads to promote fake loyalty apps, redirecting users to malicious sites that deliver the malware, which can bypass Android 13+ restrictions. Crocodilus overlays fake login pages on legitimate banking and crypto apps and has enhanced capabilities, including modifying contact lists to facilitate social engineering attacks and automating the collection of cryptocurrency wallet seed phrases. The malware's defenses have also improved with deeper obfuscation techniques. Smaller campaigns targeting cryptocurrency mining apps and European digital banks have been observed. Additionally, crypto drainers have become more accessible for rent as the malware ecosystem evolves into a software-as-a-service model.
