Android Banking Trojan Crocodilus has launched fresh campaigns addressed to cryptographic users and bank clients in Europe and South America.
For the first time detected in March 2025, early crocodile samples were largely circumscribed to Turkey, where malware appeared as online casino applications or forged banking applications to steal login certificates.
Recent campaigns show that now they are on goals in Poland, Spain, Argentina, Brazil, Indonesia, India and the United States, According to for findings from the Intelligence Mobile Syndrome of the threat danger (MTI).
The campaign addressed to Polish users used Facebook ads to promote fraudulent loyalty applications. Clicking the advertisement redirected users to malicious sites, providing a crocodile drip that bypasses Android 13+ restrictions.
Data on Facebook’s transparency revealed that these ads reached thousands of users in just one to two hours, focusing on recipients over 35 years.
Related: Microsoft takes legal action against Lumma infostealer
Crocodilus is aimed at banking and cryptographic applications
After installing, Crocodilus imposes false login pages on justified banking and cryptocurrency applications. He pretended to be a browser update in Spain, focused on almost all main banks.
In addition to geographical expansion, Crocodylus added fresh possibilities. One of the noteworthy updates is the ability to modify the contact lists of infected devices, enabling the attacker to insert phone numbers marked as “banking support” that can be used to attack social engineering.
Another key reinforcement is an automated seed collector of seeds directed to cryptocurrency wallets. Malicious Crocodilus software can now extract seed phrases and private keys with greater precision, feeding the attackers of pre -processed data for speedy account acquisitions.
Meanwhile, developers strengthened Crocodilus’s defense by deeper blackout. The latest variant has a packed code, additional Xor encryption and intentionally complicated logic to resist back engineering.
MTI analysts also observed smaller campaigns addressed to the mining applications of cryptocurrencies and European digital banks.
“Like his predecessor, the new Crocodilus variant pays a lot of attention to the applications of the cryptocurrency portfolio,” said the report. “This variant has been equipped with an additional parser, helping to extract seed phrases and private keys of specific wallets.”
Related: Coldriver using fresh malware for theft from Western targets – Google
Drainage of cryptographic sold as malware
In the report of April 22, a forensic company and compliance with Crypto Amlbot, revealed that cryptocurrencies, malware designed to steal cryptocurrency, became easier to obtain when the ecosystem evolves into the business model of software as a service.
The report revealed that malware spreaders can hire drainage for only $ 100-300 USDT (USDT).
On May 19, it was revealed that the producer of Chinese Procolored printers disseminated malicious Bitcoin software with official drivers.
Warehouse: Move to Portugal to become a digital cryptographic – everyone else is
