8 Countries Plagued by Crocodilus Android Malware, Banking Trojan Boosts Technical Sophistication

• The Crocodilus banking Trojan expanded its geographic reach through malicious ad campaigns.
• It is now active in eight countries, showing technical enhancements and a new feature set.
• Crocodilus is now more adept at evading detection and harvesting sensitive user data.

The Crocodilus Android banking Trojan’s latest variants demonstrate increased technical complexity. Recent months have seen Crocodilus embedded in diverse malicious campaigns that now stretch across Poland, Spain, Argentina, Brazil, Indonesia, and the U.S.

First detected in March 2025 by the Mobile Threat Intelligence (MTI) team, Crocodilus has swiftly evolved from running initial test campaigns in Turkey to launching broad-based operations targeting Europe, South America, and beyond, as per a new ThreatFabric report.

Tactics include leveraging malicious social media advertisements, such as Facebook ads mimicking legitimate bank and e-commerce apps, to trick users into downloading Crocodilus droppers. 

One notable campaign in Poland targeted Android users over 35, using well-crafted ads shown thousands of times within short periods to deliver the malware.

Crocodilus has undergone a series of technical upgrades, making it more adept at evading detection and harvesting sensitive user data, such as enhanced obfuscation, contact list manipulation, and seed phrase collection.

Developers have implemented advanced code packing, XOR encryption, and convoluted structures to complicate reverse engineering and forensic analysis.

The Trojan now abuses device privileges to add attacker-controlled contacts to the victim’s phone, often labeled with names like “Bank Support.” This underpins sophisticated social engineering attacks, enabling threat actors to impersonate trusted entities.

With a focus on cryptocurrency theft, Crocodilus uses accessibility logging to extract and preprocess sensitive data—including wallet seed phrases and private keys—from targeted apps, escalating the threat to crypto assets.

Organizations are urged to educate users about the dangers of downloading apps through unofficial channels and to regularly update threat prevention measures to confront this evolving mobile threat landscape.