Crocodilus Malware Expands Globally, Targets Banking and Crypto Apps with Advanced Capabilities

Crocodilus malware, a sophisticated banking trojan, has expanded its reach globally, targeting crypto wallets and banking applications across Europe and South America. Initially detected in Turkey in March 2025, the malware has since spread to Poland, Spain, Argentina, Brazil, Indonesia, India, and the US. Recent campaigns have leveraged Facebook Ads to promote fake loyalty apps, which redirect users to malicious sites and deliver the Crocodilus dropper, bypassing Android 13+ restrictions.

Once installed, Crocodilus overlays fake login pages on top of legitimate banking and crypto apps. In Spain, it masquerades as a browser update, targeting nearly all major banks. The malware has also added new capabilities, including the ability to modify infected devices’ contact lists to insert phone numbers labeled as “Bank Support,” which can be used for social engineering attacks. Additionally, Crocodilus now features an automated seed phrase collector, enabling it to extract seed phrases and private keys with greater precision, facilitating fast account takeovers.

The latest variant of Crocodilus employs deeper obfuscation techniques, such as packed code, additional XOR encryption, and convoluted logic to resist reverse engineering. Security experts have observed smaller campaigns targeting cryptocurrency mining apps and European digital banks, highlighting the malware’s growing focus on crypto assets. The report notes that the new variant is equipped with an additional parser to extract seed phrases and private keys from specific wallets.

The global spread of Crocodilus underscores the growing sophistication of cyber threats. The malware’s ability to adapt and target new financial technologies highlights the need for robust security measures and user education. Users are advised to remain vigilant and employ strong security practices, such as using two-factor authentication and keeping software up to date. The expansion of Crocodilus into new regions and its ability to target both traditional banking and crypto assets represent a significant threat to financial security.

In response to the growing threat, security firms are working to develop new defenses and educate users about the risks. The spread of Crocodilus serves as a reminder of the ongoing need for vigilance and the importance of staying informed about the latest cyber threats. As the malware continues to evolve, it poses a serious challenge to both individuals and financial institutions, emphasizing the need for proactive measures to protect users and maintain the integrity of financial systems.