Crocodilus: Android Prey hunting

Javier Conejo del Cerro
5 jun
3 Min. de lectura

A new predator is prowling the global Android ecosystem—and it doesn’t stop at borders. First spotted lurking in Spain and Turkey, the Android banking trojan known as Crocodilus has now extended its reach to Argentina, Brazil, India, Indonesia, Poland, and the United States. Distributed via phishing links, fake Chrome updates, online casino apps, and social media ads posing as banks or rewards programs, Crocodilus silently hunts its prey: mobile banking and crypto users.

Behind its deceptive appearance lies a potent arsenal. Crocodilus abuses Android’s accessibility services to launch overlay attacks on targeted apps and extract login credentials, two-factor authentication codes, and even seed phrases from cryptocurrency wallets. It constantly evolves, adopting new obfuscation techniques to evade detection and making reverse engineering a painful challenge. This is not an opportunistic parasite—it’s a persistent, highly adaptive threat.

Who gets attacked

The primary victims of Crocodilus are Android users who sideload apps outside of official stores, especially via malicious Facebook ads, phishing links, and fraudulent update prompts. The threat actors behind these campaigns exploit users’ trust in brand familiarity—disguising malware as Google Chrome updates, bank apps, or casino platforms—to trick users into downloading malicious payloads.

Once installed, the malware capitalizes on how deeply entwined financial operations have become with smartphones. Targets often use their phones for banking, crypto transactions, and communication with support teams, which makes them especially vulnerable to overlay attacks and social engineering. In some regions like Poland and Turkey, campaigns have been observed using fake reward offers or loyalty apps to lure users, while in others, the disguise has shifted to browser updates and gambling apps. Across the board, the victims tend to be digitally active, mobile-centric, and susceptible to app-based trust cues.

From “Support Agent” to Predator

Crocodilus employs multiple entry vectors depending on the campaign. In several cases, Facebook ads redirect users to malicious websites masquerading as legitimate institutions or platforms. These sites serve a dropper disguised as a reward or utility app, which installs the payload upon launch. The dropper quickly requests accessibility permissions—once granted, it gains the power to manipulate screen content, monitor inputs, and display fake login pages over real ones.

But Crocodilus has evolved beyond classic credential theft. New variants now include a command-triggered feature that adds fake contacts—such as “Bank Support”—to the victim’s contact list. This enables attackers to bypass Android’s new anti-scam protections, which flag screen-sharing sessions with unknown numbers. By posing as trusted support agents, attackers can socially engineer victims into disclosing sensitive information during phone calls.

Additionally, the malware includes an automated seed phrase parser, designed to extract wallet credentials on-the-fly. With one well-crafted campaign, attackers can drain banking accounts, loot cryptocurrency wallets, and manipulate victims via voice calls—all from a single mobile foothold.

See you later, alligator

The expansion of Crocodilus signals a shift from regional nuisance to global cyberthreat. Its evolving capabilities and persistent targeting of financial ecosystems make it a significant danger to both individual users and financial platforms. Organizations operating in crypto or fintech environments must: