Crocodilus Malware Expands: New Threat for Crypto and Banking Users Worldwide
A new and evolving mobile banking trojan called Crocodilus is beginning to step outside of its home country. It is now launching a massive cyberattack against banking and crypto users in Europe, South America, and parts of Asia. Security researchers have labeled this malware as a growing threat. It uses new techniques, targets and other features.
First appearing in March 2025, it was found in Turkey and disguised as fake online casino and bank apps. According to ThreatFabric’s Mobile Threat Intelligence (MTI) team, the virus has since expanded to new countries including Poland, Spain, Argentina, Brazil, Indonesia, India, and the United States, with new campaigns.
Malicious Facebook Ads Fuel Global Spread
Malware has been found using Facebook Ads for promoting fake apps, which is concerning. Cybercriminals in Poland ran ads that promised a loyalty bonus. This was followed by a download link for a fake app. When the ads were clicked, users were taken to a page with malware that deployed a Crocodilus dropper, a stealth installer that can bypass the protections of Android 13 and above.
In just an hour or two, these advertisements were running and reached thousands of users. It stated that the ads targeted users aged 35 years and over.
The Harmful Features of This Phishing Site
Once installed on a device, Crocodilus can display a false login screen in front of any real bank or crypto app, sacrificing the credentials of the victim. In Spain, the malware posed as a browser update and attacked almost all big banks.
But Crocodilus isn’t stopping at credentials. The Trojan comes with new features, including:
- Attackers use special programs called “seed phrase extractors” or “private key extractors” to steal recovery phrases from cryptocurrency wallets.
- Contact List Manipulation: It adds fake entries like “Bank Support” to victims’ contact lists, laying the groundwork for social engineering scams.
- The latest editions utilize encrypted code and unconventional logic patterns, which help prevent detection and hamper reverse engineering.
Crypto Users at High Risk
Crocodilus still targets crypto wallets, as stated by MTI researchers. The malware is now more capable of stealing wallet info, draining cash, and automating account takeovers. There are smaller campaigns targeting crypto mining apps and fintech platforms in Europe, which further expand the attack surface.
Rise of Malware-as-a-Service
Experts warn that this threat is not isolated. According to AMLBot, crypto drainers—malware for draining crypto—are now easily available on MaaS (Malware-as-a-Service) platforms. For as little as $100 to $300 a month, attackers can rent tools. A move that empowers low-level hackers to pull off damaging campaigns.
In one shocking incident, a Chinese hardware maker was found to have distributed malware capable of stealing Bitcoin bundled with bona fide printer drivers.
Conclusion
The Crocodilus malware is changing rapidly and spreading across the globe at an alarming speed through its advanced social engineering and malware techniques. The fact that it targets banking and crypto users makes it especially dangerous for users globally as cybercriminals keep polishing up and commercializing the malware.
You need to always be up-to-date, browse safely and use trusted security software to have a strong defense.
