Android Malware Crocodilus Goes Global with Smarter Theft Tools

In Poland, a recent campaign used Facebook ads to promote a fake rewards app. When users clicked the ad, they were redirected to a malicious website that installed malware. This version of Crocodilus could bypass the protections in Android 13 and later versions.

Meanwhile, in Spain, the malware pretended to be a browser update and went after customers of nearly all major banks. Once installed, it overlays fake login pages onto real banking and crypto apps.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

What is VeChain? VeChain Coin Explainer (ANIMATED)

SUBSCRIBE

ON YOUTUBE

Recent updates to Crocodilus include new tools for stealing more than just login details.

One feature enables the malware to add fake phone numbers to a device’s contact list, which labels them as "Bank Support". Another new tool focuses on cryptocurrency wallets. Crocodilus includes a feature that can automatically collect recovery phrases and private keys.

Furthermore, the developers behind Crocodilus have added new layers of code protection. The malware employs multiple forms of encryption and complex programming techniques, which hinder efforts to understand its operation and mitigate its effects.

Originally found in Turkey in March 2025, Crocodilus disguised itself as fake gambling and banking apps to steal login information.

On May 22, cybersecurity firm Moonlock reported that hackers are targeting macOS users with fake Ledger Live apps. How do these fake apps work? Read the full story.