A growing number of malicious campaigns have leveraged a recently discovered Android banking trojan called Crocodilus to target users in Europe and South America.
The malware, according to a new report published by ThreatFabric, has also adopted improved obfuscation techniques to hinder analysis and detection, and includes the ability to create new contacts in the victim’s contacts list.
“Recent activity reveals multiple campaigns now targeting European countries while continuing Turkish campaigns and expanding globally to South America,” the Dutch security company said.
Crocodilus was first publicly documented in March 2025 as targeting Android device users in Spain and Turkey by masquerading as legitimate apps like Google Chrome. The malware comes fitted with capabilities to launch overlay attacks against a list of financial apps retrieved from an external server to harvest credentials.
It also abuses accessibility services permissions to capture seed phrases associated with cryptocurrency wallets, which can then be used to drain virtual assets stored in them.
The latest findings from ThreatFabric demonstrate an expansion of the malware’s geographic scope as well as ongoing development with enhancements and new features, indicating that it’s being actively maintained by the operators.
Select campaigns aimed at Poland have been found to leverage bogus ads on Facebook as a distribution vector by mimicking banks and e-commerce platforms. These ads lure victims to download an app to claim supposed bonus points. Users who attempt to download the app are directed to a malicious site that delivers the Crocodilus dropper.
Other attack waves targeting Spanish and Turkish users have disguised themselves as a web browser update and an online casino. Argentina, Brazil, India, Indonesia, and the United States are among the other nations that have been singled out by the malware.
In addition to incorporating various obfuscation techniques to complicate reverse engineering efforts, new variants of Crocodilus have the ability to add a specified contact to the victim’s contact list upon receiving the command “TRU9MMRHBCRO.”
It’s suspected that the feature is designed as a countermeasure to new security protections that Google has introduced in Android that alerts users of possible scams when launching banking apps during a screen-sharing session with an unknown contact.
“We believe the intent is to add a phone number under a convincing name such as ‘Bank Support,’ allowing the attacker to call the victim while appearing legitimate. This could also bypass fraud prevention measures that flag unknown numbers,” ThreatFabric said.
Another new feature is an automated seed phrase collector that makes use of a parser to extract seed phrases and private keys of specific cryptocurrency wallets.
“The latest campaigns involving the Crocodilus Android banking Trojan signal a concerning evolution in both the malware’s technical sophistication and its operational scope,” the company said. “Notably, its campaigns are no longer regionally confined; the malware has extended its reach to new geographical areas, underscoring its transition into a truly global threat.”
Update
Following the publication of the story, a Google spokesperson shared the below statement with The Hacker News –
Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.
(The story was updated after publication to include a response from Google.)
