Crocodilus Malware Expands Globally, Targeting Android Crypto and Banking Apps with Advanced Credential Theft

The Crocodilus malware, first identified in Turkey in March, has evolved into a significant global threat targeting both banking apps and cryptocurrency wallets on Android devices. Originally focused on localized banking fraud, Crocodilus now actively steals sensitive information—like seed phrases, private keys, and login credentials—using techniques such as overlay attacks, keylogging, and screen capture. Its spread is confirmed in Europe, the United States, and South America, with campaigns leveraging fake apps, social media ads, and fraudulent updates to bypass Android security features. Newer versions of Crocodilus can automatically harvest crypto wallet recovery phrases and add fake ’Bank Support’ contacts to devices, making the theft of crypto assets even more automated and efficient. Android users who install apps from unofficial sources or use outdated operating systems are especially at risk. Crypto traders are urged to install apps only from official stores, enable two-factor authentication, maintain up-to-date software, and consider hardware wallets for significant holdings. The accelerating sophistication and expansion of Crocodilus highlights the urgent need for strict personal cybersecurity among cryptocurrency holders and traders, as this malware poses an ongoing and growing threat to both their funds and trading operations.