This New Trojan Is Coming for Your Crypto & Banking Apps, Global Alert Issued

A sophisticated Android banking trojan known as Crocodilus is rapidly spreading beyond its initial confines, now targeting users across Europe, South America, and parts of Asia.

Initially detected in Turkey in March 2025, Crocodilus has evolved to exploit vulnerabilities in Android devices, posing significant threats to both banking and cryptocurrency applications.

Crocodilus Global Reach and Infection Methods

Recent campaigns have identified Crocodilus infections in countries including Poland, Spain, Argentina, Brazil, Indonesia, India, and the United States. The malware often masquerades as legitimate applications, such as online casino apps or spoofed banking apps, to deceive users into downloading it. Notably, in Poland, attackers utilized Facebook Ads to promote fake loyalty apps, redirecting users to malicious sites that deliver the Crocodilus dropper, capable of bypassing Android 13 and later security restrictions.

Advanced Capabilities and Techniques

Once installed, Crocodilus requests accessibility service permissions, granting it extensive control over the device. It overlays fake login pages atop legitimate banking and cryptocurrency apps, capturing user credentials. The malware has also been observed modifying contact lists to insert fake entries labeled as “Bank Support,” facilitating social engineering attacks.

A significant enhancement in recent variants is the automated collection of seed phrases and private keys from cryptocurrency wallets. The malware employs a parser to extract this sensitive information efficiently, enabling swift account takeovers.

Crocodilus Evasion and Persistence Mechanisms

Crocodilus employs sophisticated evasion techniques, including code obfuscation, XOR encryption, and convoluted logic structures, making it challenging for security analysts to reverse-engineer. It continuously monitors app launches, deploying overlays to intercept credentials, and can trigger screen captures to obtain one-time passwords (OTPs) from authenticator apps.

Implications for Users and Security Measures

The rapid evolution and global spread of Crocodilus underscore the escalating threats in the mobile cybersecurity landscape. Users are advised to exercise caution by downloading apps only from trusted sources, regularly updating device software, and being vigilant against unsolicited prompts requesting sensitive information.

Security experts emphasize the importance of implementing robust security measures. These include multi-factor authentication and the use of reputable security software, to mitigate the risks posed by such advanced malware threats.