Crocodilus is an Android banking Trojan that is expanding globally, adding attack functions targeting crypto wallets and banking applications. The following is its related introduction:
The spread has expanded: It was first discovered in Turkey in March 2025, when it was mainly disguised as an online casino app or a forged bank app to steal login credentials. Recently, the mobile Threat intelligence team of Threat Fabric has discovered that it has launched attacks in many places such as Poland, Spain, Argentina, Brazil, Indonesia, India and the United States. For example, activities targeting Polish users utilized Facebook ads to promote false loyalty apps. Clicking on the ads would redirect users to malicious websites, and then install the Crocodilus loader, which could bypass the restrictions of Android 13 and above systems.
New attack features: Firstly, it can modify the contact list of the infected device. Attackers can insert phone numbers marked as “bank-supported” for social engineering attacks. Second, it has an automatic seed phrase collection function, which can more accurately extract the seed phrases and private keys of cryptocurrency wallets, providing preprocessed data for attackers to quickly take over the accounts.
Technical improvement: The developers have strengthened the defense mechanism of Crocodilus through deep obfuscation. The latest variant adopts code packaging technology, adds an XOR encryption layer, and uses deliberately complex logic to resist reverse engineering, making it more difficult to analyze and crack this malware.
Related topic:
