Crocodilus Android Trojan Adds Crypto Wallet Heist Tools in Global Expansion
Android banking trojan Crocodilus has launched new campaigns targeting crypto users and banking customers across Europe and South America.
First detected in March 2025, early Crocodilus samples were largely limited to Turkey, where the malware posed as online casino apps or spoofed bank apps to steal login credentials.
Recent campaigns show it now hitting targets in Poland, Spain, Argentina, Brazil, Indonesia, India and the US, according to findings from ThreatFabric’s Mobile Threat Intelligence (MTI) team.
A campaign targeting Polish users tapped Facebook Ads to promote fake loyalty apps. Clicking the ad redirected users to malicious sites, delivering a Crocodilus dropper, which bypasses Android 13+ restrictions.
Facebook transparency data revealed that these ads reached thousands of users in just one to two hours, with a focus on audiences over 35.
Related: Microsoft takes legal action against infostealer Lumma
Crocodilus targets banking and crypto apps
Once installed, Crocodilus overlays fake login pages on top of legitimate banking and crypto apps. It masqueraded as a browser update in Spain, targeting nearly all major banks.
Beyond geographic expansion, Crocodilus has added new capabilities. One notable upgrade is the ability to modify infected devices’ contact lists, enabling attackers to insert phone numbers labeled as “Bank Support,” which could be used for social engineering attacks.
Another key enhancement is an automated seed phrase collector aimed at cryptocurrency wallets. The Crocodilus malware can now extract seed phrases and private keys with greater precision, feeding attackers pre-processed data for fast account takeovers.
Meanwhile, developers have strengthened Crocodilus’ defenses through deeper obfuscation. The latest variant features packed code, additional XOR encryption and intentionally convoluted logic to resist reverse engineering.
MTI analysts also observed smaller campaigns targeting cryptocurrency mining apps and European digital banks.
“Just like its predecessor, the new variant of Crocodilus pays a lot of attention to cryptocurrency wallet apps,” the report said. “This variant was equipped with an additional parser, helping to extract seed phrases and private keys of specific wallets.”
Related: COLDRIVER using new malware to steal from Western targets — Google
Crypto drainers sold as malware
In an April 22 report, crypto forensics and compliance firm AMLBot revealed that crypto drainers, malware designed to steal cryptocurrency, have become easier to access as the ecosystem evolves into a software-as-a-service business model.
The report revealed that malware spreaders can rent a drainer for as little as 100-300 USDt (USDT).
On May 19, it was revealed that Chinese printer manufacturer Procolored had distributed Bitcoin-stealing malware alongside its official drivers.
Magazine: Move to Portugal to become a crypto digital nomad — Everybody else is
Bitcoin (BTC) $ 111,074.00
Ethereum (ETH) $ 2,763.98
Tether (USDT) $ 1.00
XRP (XRP) $ 2.41
BNB (BNB) $ 669.73
Solana (SOL) $ 156.40
USDC (USDC) $ 0.999952
TRON (TRX) $ 0.290151
Dogecoin (DOGE) $ 0.179608
Lido Staked Ether (STETH) $ 2,762.70
Cardano (ADA) $ 0.618887
Wrapped Bitcoin (WBTC) $ 111,020.00
Hyperliquid (HYPE) $ 40.71
Wrapped stETH (WSTETH) $ 3,333.17
Sui (SUI) $ 3.07
Bitcoin Cash (BCH) $ 514.52
Chainlink (LINK) $ 14.20
Stellar (XLM) $ 0.287574
LEO Token (LEO) $ 8.96
Avalanche (AVAX) $ 19.44
Wrapped eETH (WEETH) $ 2,958.92
USDS (USDS) $ 0.999820
Shiba Inu (SHIB) $ 0.000012
Hedera (HBAR) $ 0.170899
WETH (WETH) $ 2,765.31
Toncoin (TON) $ 2.83
Litecoin (LTC) $ 90.36
WhiteBIT Coin (WBT) $ 46.69
Binance Bridged USDT (BNB Smart Chain) (BSC-USD) $ 1.00
Monero (XMR) $ 326.55
Coinbase Wrapped BTC (CBBTC) $ 111,217.00
Polkadot (DOT) $ 3.60
Ethena USDe (USDE) $ 1.00
Bitget Token (BGB) $ 4.39
Uniswap (UNI) $ 8.23
Pepe (PEPE) $ 0.000011
Aave (AAVE) $ 299.36
Dai (DAI) $ 1.00
Pi Network (PI) $ 0.466807
Bittensor (TAO) $ 349.14
Ethena Staked USDe (SUSDE) $ 1.18
Aptos (APT) $ 4.60
OKB (OKB) $ 49.13
Cronos (CRO) $ 0.095293
NEAR Protocol (NEAR) $ 2.33
BlackRock USD Institutional Digital Liquidity Fund (BUIDL) $ 1.00
Internet Computer (ICP) $ 5.13
Jito Staked SOL (JITOSOL) $ 190.01
Ethereum Classic (ETC) $ 17.58
Ondo (ONDO) $ 0.828337
sUSDS (SUSDS) $ 1.06
USD1 (USD1) $ 1.00
Kaspa (KAS) $ 0.081123
Mantle (MNT) $ 0.595312
Cosmos Hub (ATOM) $ 4.31
Fasttoken (FTN) $ 4.45
VeChain (VET) $ 0.022272
Gate (GT) $ 15.99
POL (ex-MATIC) (POL) $ 0.205484
Ethena (ENA) $ 0.286104
Artificial Superintelligence Alliance (FET) $ 0.696068
Official Trump (TRUMP) $ 9.00
Arbitrum (ARB) $ 0.352513
Render (RENDER) $ 3.33
Sky (SKY) $ 0.081165
Binance-Peg WETH (WETH) $ 2,762.99
Filecoin (FIL) $ 2.43
Algorand (ALGO) $ 0.190945
Lombard Staked BTC (LBTC) $ 110,885.00
Bonk (BONK) $ 0.000021
Jupiter Perpetuals Liquidity Provider Token (JLP) $ 4.60
Worldcoin (WLD) $ 0.902312
Binance Staked SOL (BNSOL) $ 166.03
USDtb (USDTB) $ 0.999754
Sei (SEI) $ 0.261507
First Digital USD (FDUSD) $ 0.998895
KuCoin (KCS) $ 11.18
SPX6900 (SPX) $ 1.52
USDT0 (USDT0) $ 0.999647
Jupiter (JUP) $ 0.448530
Kelp DAO Restaked ETH (RSETH) $ 2,897.87
Rocket Pool ETH (RETH) $ 3,150.92
NEXO (NEXO) $ 1.23
Celestia (TIA) $ 1.67
Flare (FLR) $ 0.016219
Tokenize Xchange (TKX) $ 13.75
Fartcoin (FARTCOIN) $ 1.11
XDC Network (XDC) $ 0.067961
Polygon Bridged USDT (Polygon) (USDT) $ 1.00
Injective (INJ) $ 10.87
Mantle Staked Ether (METH) $ 2,960.89
Stacks (STX) $ 0.685440
StakeWise Staked ETH (OSETH) $ 2,904.62
Optimism (OP) $ 0.582515
Virtuals Protocol (VIRTUAL) $ 1.56
Sonic (S) $ 0.316782
Solv Protocol BTC (SOLVBTC) $ 110,877.00
Binance Bridged USDC (BNB Smart Chain) (USDC) $ 1.00
Pudgy Penguins (PENGU) $ 0.015479
dogwifhat (WIF) $ 0.950373
