Crocodilus Android Trojan Adds Crypto Wallet Heist Tools in Global Expansion
Android banking trojan Crocodilus has launched new campaigns targeting crypto users and banking customers across Europe and South America.
First detected in March 2025, early Crocodilus samples were largely limited to Turkey, where the malware posed as online casino apps or spoofed bank apps to steal login credentials.
Recent campaigns show it now hitting targets in Poland, Spain, Argentina, Brazil, Indonesia, India and the US, according to findings from ThreatFabric’s Mobile Threat Intelligence (MTI) team.
A campaign targeting Polish users tapped Facebook Ads to promote fake loyalty apps. Clicking the ad redirected users to malicious sites, delivering a Crocodilus dropper, which bypasses Android 13+ restrictions.
Facebook transparency data revealed that these ads reached thousands of users in just one to two hours, with a focus on audiences over 35.
Related: Microsoft takes legal action against infostealer Lumma
Crocodilus targets banking and crypto apps
Once installed, Crocodilus overlays fake login pages on top of legitimate banking and crypto apps. It masqueraded as a browser update in Spain, targeting nearly all major banks.
Beyond geographic expansion, Crocodilus has added new capabilities. One notable upgrade is the ability to modify infected devices’ contact lists, enabling attackers to insert phone numbers labeled as “Bank Support,” which could be used for social engineering attacks.
Another key enhancement is an automated seed phrase collector aimed at cryptocurrency wallets. The Crocodilus malware can now extract seed phrases and private keys with greater precision, feeding attackers pre-processed data for fast account takeovers.
Meanwhile, developers have strengthened Crocodilus’ defenses through deeper obfuscation. The latest variant features packed code, additional XOR encryption and intentionally convoluted logic to resist reverse engineering.
MTI analysts also observed smaller campaigns targeting cryptocurrency mining apps and European digital banks.
“Just like its predecessor, the new variant of Crocodilus pays a lot of attention to cryptocurrency wallet apps,” the report said. “This variant was equipped with an additional parser, helping to extract seed phrases and private keys of specific wallets.”
Related: COLDRIVER using new malware to steal from Western targets — Google
Crypto drainers sold as malware
In an April 22 report, crypto forensics and compliance firm AMLBot revealed that crypto drainers, malware designed to steal cryptocurrency, have become easier to access as the ecosystem evolves into a software-as-a-service business model.
The report revealed that malware spreaders can rent a drainer for as little as 100-300 USDt (USDT).
On May 19, it was revealed that Chinese printer manufacturer Procolored had distributed Bitcoin-stealing malware alongside its official drivers.
Magazine: Move to Portugal to become a crypto digital nomad — Everybody else is
Bitcoin (BTC) $ 103,368.00
Ethereum (ETH) $ 2,477.35
Tether (USDT) $ 0.999978
XRP (XRP) $ 2.12
BNB (BNB) $ 643.03
Solana (SOL) $ 140.76
USDC (USDC) $ 0.999803
TRON (TRX) $ 0.272777
Dogecoin (DOGE) $ 0.161548
Lido Staked Ether (STETH) $ 2,472.67
Cardano (ADA) $ 0.577262
Wrapped Bitcoin (WBTC) $ 103,349.00
Hyperliquid (HYPE) $ 33.89
Wrapped stETH (WSTETH) $ 2,996.73
Bitcoin Cash (BCH) $ 485.62
Sui (SUI) $ 2.72
Chainlink (LINK) $ 12.72
LEO Token (LEO) $ 8.89
Stellar (XLM) $ 0.243023
Avalanche (AVAX) $ 17.40
Toncoin (TON) $ 2.95
USDS (USDS) $ 0.999818
WhiteBIT Coin (WBT) $ 48.99
Shiba Inu (SHIB) $ 0.000011
WETH (WETH) $ 2,474.39
Wrapped eETH (WEETH) $ 2,653.97
Litecoin (LTC) $ 82.74
Binance Bridged USDT (BNB Smart Chain) (BSC-USD) $ 0.999408
Hedera (HBAR) $ 0.144355
Monero (XMR) $ 307.15
Ethena USDe (USDE) $ 1.00
Polkadot (DOT) $ 3.43
Bitget Token (BGB) $ 4.30
Coinbase Wrapped BTC (CBBTC) $ 103,460.00
Uniswap (UNI) $ 7.39
Pepe (PEPE) $ 0.000010
Pi Network (PI) $ 0.535408
Aave (AAVE) $ 249.78
Dai (DAI) $ 0.999518
Ethena Staked USDe (SUSDE) $ 1.18
OKB (OKB) $ 52.78
Bittensor (TAO) $ 335.77
BlackRock USD Institutional Digital Liquidity Fund (BUIDL) $ 1.00
Cronos (CRO) $ 0.088806
Aptos (APT) $ 4.30
Internet Computer (ICP) $ 4.91
sUSDS (SUSDS) $ 1.06
NEAR Protocol (NEAR) $ 2.08
Jito Staked SOL (JITOSOL) $ 170.95
Ethereum Classic (ETC) $ 16.17
Ondo (ONDO) $ 0.737868
Tokenize Xchange (TKX) $ 28.84
USD1 (USD1) $ 0.999601
Mantle (MNT) $ 0.627430
Gate (GT) $ 16.49
Fasttoken (FTN) $ 4.45
Official Trump (TRUMP) $ 9.22
VeChain (VET) $ 0.021018
Kaspa (KAS) $ 0.067831
Cosmos Hub (ATOM) $ 3.91
Lombard Staked BTC (LBTC) $ 103,494.00
Artificial Superintelligence Alliance (FET) $ 0.648231
Ethena (ENA) $ 0.273239
POL (ex-MATIC) (POL) $ 0.184556
Sky (SKY) $ 0.076268
Render (RENDER) $ 3.01
Filecoin (FIL) $ 2.24
Binance-Peg WETH (WETH) $ 2,475.01
First Digital USD (FDUSD) $ 0.997580
Jupiter Perpetuals Liquidity Provider Token (JLP) $ 4.31
Worldcoin (WLD) $ 0.893770
USDtb (USDTB) $ 0.999740
Arbitrum (ARB) $ 0.291873
Algorand (ALGO) $ 0.164272
Quant (QNT) $ 97.59
USDT0 (USDT0) $ 1.00
KuCoin (KCS) $ 11.02
Binance Staked SOL (BNSOL) $ 150.54
NEXO (NEXO) $ 1.21
Rocket Pool ETH (RETH) $ 2,818.10
Flare (FLR) $ 0.017050
Kelp DAO Restaked ETH (RSETH) $ 2,593.01
Jupiter (JUP) $ 0.380737
Kaia (KAIA) $ 0.190845
Sei (SEI) $ 0.194787
Injective (INJ) $ 10.88
Celestia (TIA) $ 1.56
Bonk (BONK) $ 0.000014
Virtuals Protocol (VIRTUAL) $ 1.57
Polygon Bridged USDT (Polygon) (USDT) $ 0.999816
Binance Bridged USDC (BNB Smart Chain) (USDC) $ 0.999396
SPX6900 (SPX) $ 1.06
XDC Network (XDC) $ 0.058753
Stacks (STX) $ 0.616603
PayPal USD (PYUSD) $ 0.999889
Optimism (OP) $ 0.546024
StakeWise Staked ETH (OSETH) $ 2,610.29
Mantle Staked Ether (METH) $ 2,657.64
Sonic (S) $ 0.282587
Fartcoin (FARTCOIN) $ 0.892357
