New Android Malware ‘Crocodilus’ Takes Full Control of Devices Globally

A sophisticated new Android banking Trojan, dubbed Crocodilus, has emerged on the global threat landscape, rapidly evolving its features and evasion techniques as it sweeps across Europe, South America, and beyond.

Initially spotted by Mobile Threat Intelligence (MTI) researchers in March 2025, Crocodilus has already unleashed a series of technically advanced campaigns targeting financial and cryptocurrency assets while gaining nearly unrestricted control over infected devices.

Global Malvertising Campaigns and Distribution

The first Crocodilus samples surfaced in Turkish financial apps, but recent campaigns reveal an aggressive expansion. The Trojan is now targeting users in Poland, Spain, and countries in South America, with smaller campaigns spotted in Argentina, Brazil, the US, Indonesia, and India.

One of the most notable distribution techniques leverages malicious advertisements on social networks, including Facebook Ads.

These ads, often mimicking legitimate banking or e-commerce applications, lure victims with promises of bonus points or rewards, then redirect them to sites hosting the Crocodilus dropper.

The dropper is engineered to bypass Android 13+ security restrictions, ensuring successful installation even on the latest devices.

According to Facebook’s ad transparency reports, each malicious ad was displayed over a thousand times in just a couple of hours, primarily to users over the age of 35—a demographic perceived as more financially solvent.

Technical Innovations: Obfuscation and Control

What sets Crocodilus apart is its relentless innovation in both its delivery mechanisms and internal architecture. Recent variants feature improved code obfuscation, including:

• Code packing: Both the dropper and the payload are packed to evade signature-based detection.
• XOR encryption: The payload is encrypted using XOR to make static analysis more challenging.
• Convoluted, tangled code: The codebase is deliberately obfuscated to hinder reverse engineering.

Here is a simplified pseudocode illustrating the XOR payload decryption technique:

pythondef xor_decrypt(data, key):
    return bytes([b ^ key for b in data])

# Example usage with encrypted_payload and key
decrypted_payload = xor_decrypt(encrypted_payload, 0x5A)

Device Takeover: New Command and Data Theft Features

Crocodilus has introduced multiple features granting attackers unprecedented control over compromised devices:

• Contact Injection: Upon receiving the command "TRU9MMRHBCRO", the malware can add new contacts to the victim’s device—often under names like “Bank Support.” This enables convincing social engineering calls that bypass fraud detection measures.
• Overlay Attacks: The Trojan monitors for launches of legitimate banking or cryptocurrency apps and instantly overlays fake login screens to harvest credentials.
• Seed Phrase Collector: Leveraging enhanced Accessibility Logging, Crocodilus parses on-screen content using regular expressions to extract cryptocurrency wallet seed phrases and private keys directly from the victim’s device. For example:

pythonimport re

wallet_display = "Your recovery phrase: word1 word2 ... word12"
seed_re = re.compile(r'recovery phrase: ([a-z ]+)')
match = seed_re.search(wallet_display)
if match:
    seed_phrase = match.group(1)

This client-side extraction delivers high-quality, preprocessed data to cybercriminals, supporting rapid account takeover and theft of crypto assets.

Crocodilus represents a major leap in Android banking malware, fusing advanced obfuscation, global malvertising, and powerful device control features.

Its capacity to not only steal credentials but also manipulate device contacts potentially for follow-up voice phishing marks a troubling evolution.

Security teams and everyday users are urged to remain vigilant: only install apps from trusted sources, scrutinize permissions, and update device software regularly to mitigate the mounting risks posed by Crocodilus and its future variants.