
The cybercriminal underworld has a new weapon in its arsenal: Crocodilus, an Android banking trojan that’s rapidly evolving into a global threat. First identified in March 2025 by ThreatFabric’s Mobile Threat Intelligence (MTI) team, this malware has grown in both reach and sophistication, threatening banking users across Europe, South America, and beyond.
Originally targeting users in Turkey, Crocodilus has quickly expanded its geographical footprint. According to the report:
“Recent activity reveals multiple campaigns now targeting European countries while continuing Turkish campaigns and expanding globally to South America.”
A striking example of this expansion includes a Facebook ad campaign aimed at Polish users, where the trojan masqueraded as a bonus points app:
“These advertisements were live for just 1–2 hours, but each was shown more than a thousand times. The majority of viewers were over 35, indicating a focus on a solvent audience.”

Once users clicked the ad, they were redirected to a malicious site serving the Crocodilus dropper, capable of bypassing Android 13+ security measures.
The latest Crocodilus variant introduces alarming new functionalities:
- Contact List Manipulation: The malware can now add new entries to a victim’s contact list, likely to facilitate social engineering attacks. ThreatFabric explains: “Upon receiving the command ‘TRU9MMRHBCRO’, Crocodilus adds a specified contact to the victim’s contact list… under a convincing name such as ‘Bank Support’.”
- Seed Phrase Stealer: Crocodilus now includes an enhanced parser that targets cryptocurrency wallet apps, extracting seed phrases and private keys. “Threat actors receive high-quality preprocessed data, ready to use in fraudulent operations like Account Takeover,” ThreatFabric warns.
This feature relies on screen scraping via Android’s accessibility features and uses regular expressions to automatically extract sensitive content.
Crocodilus developers are also stepping up their game to avoid detection and resist reverse engineering. Techniques include:
- Code packing
- XOR encryption of the payload
- “Entangled, convoluted code” structures that complicate analysis
These improvements are designed to delay detection and prolong the lifespan of active campaigns.
With its expanding global reach, refined evasion methods, and cryptocurrency-specific features, Crocodilus represents a new generation of mobile threats. It’s not just banking credentials at risk — it’s the very control over users’ devices and crypto assets.