Analysis Summary

Security Researchers recently discovered Android banking trojan known as Crocodilus is being increasingly used in malicious campaigns targeting users in Europe and South America, with growing technical sophistication and geographic spread. Initially identified in March 2025, the malware impersonates legitimate apps such as Google Chrome to infect Android devices, particularly in Spain and Turkey.

Crocodilus uses overlay attacks to steal credentials from financial apps and abuses Android accessibility services to capture cryptocurrency seed phrases, enabling attackers to drain victims’ crypto wallets. New campaigns have expanded into countries like Poland, Argentina, Brazil, India, Indonesia, and the U.S. In Poland, attackers use Facebook ads mimicking banks and e-commerce platforms to lure users into downloading fake apps. Other tactics involve fake browser updates and online casino apps.

The malware’s evolution includes advanced obfuscation techniques to resist detection and analysis. A notable new feature allows Crocodilus to add contacts to the victim’s contact list upon receiving a command ("TRU9MMRHBCRO"). This function is likely designed to bypass Google’s security alerts for banking apps during screen sharing, letting attackers pose as legitimate contacts like “Bank Support.”

Additionally, Crocodilus has integrated an automated parser to extract seed phrases and private keys from crypto wallets, improving its effectiveness at stealing virtual assets.

Security researchers emphasize that Crocodilus is actively maintained and upgraded, with recent updates showcasing a shift from regional to global targeting. The malware’s continuous enhancement and expanding scope mark it as a significant and evolving threat in the mobile malware landscape.

Impact

• Credential Theft
• Data Exfiltration
• Unauthorized Access

Indicators of Compromise

SHA1

• f425a592df7fe61a03673a48fda56e55f9d6165c
• 45e469adbf6ec8a442ab53a5f6cb89e6d1b2009a

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Avoid downloading apps from unofficial sources or third-party websites.
• Only install apps from trusted sources like the Google Play Store.
• Regularly update your Android device and installed apps to patch security vulnerabilities.
• Disable Android accessibility services for apps that do not require them.
• Refrain from clicking on suspicious ads or links, especially on social media platforms like Facebook.
• Use reputable mobile security solutions to detect and block malware.
• Review app permissions carefully before installation or updates.
• Enable Google Play Protect and ensure it's actively scanning your device.
• Be cautious of unsolicited contacts labeled as support or banking personnel.
• Back up your crypto wallets securely and use hardware wallets when possible.
• Monitor bank and crypto accounts for unusual activity and report suspicious transactions immediately.
• Educate users and employees about phishing tactics and mobile malware risks.