To target users in Europe and South America, there are a growing number of malicious campaigns leveraging the recently discovered Android Banking Trojan called Crocodilus.
Malware also employs improved obfuscation techniques to prevent analysis and detection, according to a new report published by ThreatFabric, and includes the ability to create new contacts in the victim’s contact list.
“Recent activities have revealed multiple campaigns currently targeting European countries, while continuing their Turkey campaign and expanding globally to South America,” the Dutch security company said.
Crocodilus was first released in March 2025 for targeting Android device users in Spain and Turkey, pose as a legitimate app like Google Chrome. Malware is equipped with the ability to launch an overlay attack to launch an overlay attack on a list of financial apps obtained from external servers.
It can also be used to abuse accessibility services’ authority to capture seed phrases related to cryptocurrency wallets and then to emit stored virtual assets.
The latest findings from ThreatFabric show that the malware’s geographical scope is widened and ongoing development with enhancements and new features, showing that it is actively maintained by operators.
Choice campaigns targeted in Poland have been found to use Facebook fake ads as distribution vectors by mimicking banks and e-commerce platforms. These ads will download apps that invite victims and charge you for the expected bonus points. Users who try to download the app will be directed at malicious sites that provide Crocodilus Dropper.
Other waves of attack targeting Spanish and Turkish users are disguising themselves as web browser updates and online casinos. Argentina, Brazil, India, Indonesia and the US are among the other countries chosen by malware.
In addition to incorporating a variety of obfuscation techniques to complicate reverse engineering efforts, a new variant of Crocodilus allows the specified contact to be added to the victim’s contact list when it receives the commander “Tru9mmrhbcro”.
This feature is designed as a new security measure introduced by Google on Android, and alerts users when launching a bank app during a screen sharing session with unknown contacts.
“We believe it is to add a phone number with a compelling name, such as ‘bank support’, allowing the attacker to call the victim while it appears to be legitimate.
Another new feature is an automated seed phrase collector that uses a parser to extract seed phrases and private keys for a specific cryptocurrency wallet.
“The latest campaign involving Crocodilus Android Banking Trojan shows concern over the evolution of both malware’s technical refinement and its operational scope,” the company said. “In particular, its campaign is no longer confined to regions. Malware expands its scope to new geographical areas, highlighting the transition to truly global threats.”
Source link
