Crocodilus is a new Bank malware for Android devices which is quickly gaining land in different countries, with a danger that does not concern only inexperienced users and that is making it among the most insidious malware for cybersecurity in mobile devices. It is a sophisticated trojan, capable of subtract bank credentials and Seed Phrase of cryptocurrency wallets, or those sequences of words that allow access to a Wallet Crypto and that, if stolen, are equivalent to the loss of the content of the portfolio itself. Discovered March 2025 by the Dutch security company ThreatfabricCrocodilus has been observed in action initially in Spain and Türkiye, but has already extended its presence in Poland, South America, the United States, India and Indonesia. Considered its modular architecture and the ability to adapt to new languages and geographical contexts, Italy is a potential imminent objective.
How crocodilus is spread and what is capable of doing
This trojan comes widespread mainly through fraudulent ads Published on social networks, such as Facebook and Instagram. The attackers create advertising campaigns that promote apparently harmless apps: browser updates, online casino or banking promotions. When clicking on the announcement, you are redirected to a malicious site that allows the Download of an infected apk file. Once the latter is installed, access to accessibility services of the Android system is required. This type of permit, designed to help users with disabilities, can however be used to obtain extended control on the device: the malware can read what appears on the screen, simulate touches and digitations, start remote sessions and overlap false screens that of legitimate apps.
The most common attack mechanism of Crocodilus is based on these overlaysFasulle ketches that imitate those of banking or funds management apps. In this way, the victims unconsciously type their credentials in an interface controlled by the IT criminals. To these techniques is added another very particular function: the ability to add new contacts in the infected smartphone column. In response to a precise command sent by the remote control server, Crocodilus can enter a contact with a credible name – for example “bank assistance” – associated with a number controlled by the attackers. This stratagem was probably designed to circumvent the new Android protections that report suspicious behaviors during screen sharing sessions with unknown contacts.
Another advanced component of the malware is the so -called Seed Phrase Collectoran automatic system that uses a parser – a software tool capable of extracting structured data – to identify and memorize the recovery phrases of cryptocurrency wallets. This function allows Crocodilus operators to directly take possession of the contents present in the victim’s wallet, for example Bitcoin or Ethereum,.
Second ThreatfabricCrocodilus is not a simple static malware, but a project in constant evolution. In the relationship drawn up by security experts, in fact, we read:
The latest campaigns involving the Android Crocodilus bank Trojan report a worrying evolution both in the technical sophistication of the malware and in its operational scope. Thanks to the new additional features, Crocodilus is now more skilled in collecting sensitive information and evading the detection. In particular, his campaigns are no longer limited to a regional level; The malware has extended its flow to new geographical areas, underlining its transition towards a truly global threat.
Despite the complexity of the malware, Google reassured the colleagues of ThehackerNews that at the moment “No app containing this malware is available on Google Play (Store)». In any case, the Android devices equipped with Google Play Services activate the system by default Play Protecta technology that verifies the safety of the installed apps, even if they come from external sources. Since Play Protect cannot guarantee total protection when the user manually discharges an APK from an unknown site, it is precisely in the latter scenario that the Crocodilus threat is placed.
How to defend itself from the crocodilus malware
For defend himself from the threat of Crocodilusit is important to maintain a conscious approach and, concretely, this means Download apps only from official sourceslike the Google Play Store. Also you have to Avoid granting accessibility permits If they are not strictly necessary, always check the authenticity of the promotions seen online and equip themselves with a reliable antivirus software also on mobile devices. Also update the operating system and the installed apps regularly update to reducing vulnerabilities.
