The Android Banking Trojan Crocodilus has launched recent campaigns for crypto users and bank customers in Europe and South America.
The early crocodilus samples, which were first present in March 2025, were largely limited to Turkey, where the malware as a web based casino apps or fake bank apps was equipped to steal login information.
The recent campaigns show that it’s now being hit in Poland, Spain, Argentina, Brazil, Indonesia, India and the USA, in accordance with the outcomes of the MTI team (Mobile Threat Intelligence) from Threatfabric.
A campaign aimed toward Polish users has displayed Facebook ads to advertise fake loyalty apps. By clicking on the AD, users were redirected to malicious web sites and deliver a crocodilus drop that deals with Android 13+ restrictions.
Facebook transparency data showed that these ads reached hundreds of users in only one to 2 hours, with the deal with the audience above 35.
Crocodilus malware becomes global. Source: Threatfabric
Crocodilus is aimed toward banking and crypto apps
After installation, Crocodilus overlaps fake registration pages via legitimate banking and crypto apps. It was camouflaged as a browser update in Spain and aimed toward just about all large banks.
In addition to geographical expansion, crocodilus has added recent skills. A remarkable upgrade is the potential for changing the contact lists of infected devices in order that attackers can insert telephone numbers which can be called “bank support” and used for social engineering attacks.
Another essential improvement is an automatic seed phrase collector that goals at cryptocurrency pockets. The crocodilus malware can now extract seed phrases and personal keys with larger precision, whereby the attackers feed pre-processed data for quick account transfer.
In the meantime, developers have strengthened the crocodilus defenses by deeper veiling. The latest variants of packed code, additional XOR encryption and deliberately confused logic to withstand reverse engineering.
MTI analysts also observed smaller campaigns that were directed with apps for cryptocurrency reduction and European digital banks.
“Just like its predecessor, the brand new variant of Crocodilus gives the cryptocurrency letter bags loads of attention,” the report says. “This variant was equipped with a further parser that contributed to extracting seed phrases and personal keys to certain wallets.”
Krypto drainer sold as malware
In a report dated April twenty second, Amlbot revealed that Crypto Forensics and Compliance company, that crypto drainer, malware that’s speculated to steal cryptocurrency, is more easily accessible since the ecosystem develops right into a business model from software AA service.
The report showed that Malware Spreaders can rent a drain for under 100-300 USDT (USDT).
On May 19, it became known that the Chinese printer manufacturer Procolored had distributed Bitcoin stealing malware alongside its official drivers.
