Crypto Tech ARGENTINA Nina Oliviera June 8, 2025 0 Comments

Crocodilus Malware Goes Global With New Crypto, Banking Heist Features

Crocodilus malware, originally limited to Turkey, has now expanded its reach to Europe and South America, targeting crypto and banking customers. Newly discovered campaigns utilize deceptive ads and advanced tactics to steal sensitive information. The malware has enhanced its capabilities, allowing it to harvest seed phrases from wallets and manipulate contact lists, elevating the threat to users globally.

The Crocodilus malware, once a local menace in Turkey, has now spread its wings to Europe and South America, targeting both crypto enthusiasts and banking customers. Detected for the first time in March 2025, early forms of Crocodilus masqueraded as online casino or banking apps to pilfer sensitive login credentials. The recent expansion of its operations now spans countries like Poland, Spain, Argentina, Brazil, Indonesia, India, and even the United States, significantly escalating its threat level.

In a particularly alarming campaign aimed at Polish users, Crocodilus cleverly utilized Facebook Ads to promote fraudulent loyalty apps. In just one to two hours, these ads reached thousands, tricking users into clicking links that led to malicious sites armed with a Crocodilus dropper—one that manages to circumvent the restrictions placed by Android 13 and up.

Once this malware infiltrates a person’s device, it doesn’t stop at mere credential theft; Crocodilus goes further by layering fake login pages over authentic banking and crypto applications. For instance, in Spain, it disguises itself as a browser update while targeting virtually every major bank in the country. What’s more, it can tamper with an infected phone’s contact list by adding numbers labeled as “Bank Support,” creating new avenues for social engineering scams.

Another significant upgrade has been Crocodilus’ capability to harvest seed phrases directly from cryptocurrency wallets. This new version efficiently extracts essential data—like seed phrases and private keys—easing the path for attackers aiming for quick account takeovers. |

The developers behind Crocodilus are not only enhancing its offensive features but also bolstering its defenses. The latest iterations involve deeper code obfuscation techniques, like packed code mixed with XOR encryption and deliberately complex logic designed to thwart reverse engineering attempts.

But that’s not all. Analysts from the Mobile Threat Intelligence (MTI) team also uncovered smaller campaigns that specifically target cryptocurrency mining apps and digital banks in Europe, cementing Crocodilus’ pivot towards crypto. As the report notes, “Just like its predecessor, the new variant of Crocodilus pays a lot of attention to cryptocurrency wallet apps,” highlighting that the malware is evolving rapidly to incorporate new methods and exploit weaknesses.

And it gets worse. A recent AMLBot report points to a growing accessibility of crypto drainers, a type of malware crafted specifically to snatch cryptocurrency. These drainers are now being sold as a service for as little as 100 to 300 USDT, showing how quickly this underground ecosystem is maturing. Notably, an incident involving the Chinese printer firm Procolored raised eyebrows when it was found distributing Bitcoin-stealing malware via its official drivers, showcasing the insidious nature of current cybersecurity threats.

In summary, Crocodilus malware’s strategic expansion into multiple regions and its enhanced capabilities pose a significant threat to online banking and cryptocurrency. With deceptive tactics and advanced features now targeting consumers worldwide, vigilance is essential. As this malware morphs and spreads, those who engage in online banking or cryptocurrency transactions should remain increasingly cautious. The emergence of so-called “crypto drainers” further complicates this landscape, reinforcing the urgency for robust cybersecurity measures.

Original Source: cointelegraph.com