The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Crocodilus Evolves, Expands Targeting

Jun 20, 2025 12:01:52 PM / by The Hivemind

CROCODILUSVerticals Targeted: Banking, E-commerce, Cryptocurrency
Regions Targeted: Turkey, Poland, Spain, Argentina, Brazil, India, Indonesia, United States
Related Families: None specified

Executive Summary

Crocodilus, an Android banking trojan first identified in March 2025, has rapidly evolved into a global threat, targeting banking and cryptocurrency users across eight countries with advanced overlay attacks and social engineering tactics. Its enhanced obfuscation and new features, such as contact list manipulation, amplify its ability to evade detection and execute fraudulent transactions.

Key Takeaways

  • Crocodilus targeting has expanded from Turkey to eight countries, including Poland and Spain, targeting banking and cryptocurrency apps.
  • The malware employs sophisticated obfuscation, including code packing and XOR encryption, to hinder analysis.
  • A new feature allows Crocodilus to add fake contacts, enabling attackers to impersonate trusted entities like bank support.
  • Social engineering tricks, such as fake wallet backup prompts, facilitate cryptocurrency seed phrase theft.

What is Crocodilus?

Crocodilus, a sophisticated Android banking trojan, has emerged as a significant global cyberthreat since its discovery in March 2025. Initially targeting users in Turkey, the malware has expanded its reach to eight countries, including Poland, Spain, Argentina, Brazil, India, Indonesia, and the United States. Crocodilus targets banking, e-commerce, and cryptocurrency sectors, leveraging advanced overlay attacks and social engineering to steal credentials and cryptocurrency assets. Its rapid evolution and technical sophistication underscore the growing challenge of mobile malware for cybersecurity professionals and organizational leaders. ThreatFabric provided an update on the malware's recent evolution and targeting. 

The malware spreads primarily through phishing campaigns, often disguised as legitimate apps like Google Chrome, online casinos, or e-commerce platforms offering bonus points. In Poland, attackers have utilized Facebook ads, active for only one to two hours but viewed over a thousand times, to lure users over 35—a demographic likely targeted for financial solvency. These ads redirect victims to malicious sites hosting a proprietary dropper that bypasses Android 13+ security restrictions. Once installed, Crocodilus requests Accessibility Service permissions, enabling it to monitor screen content, log user inputs, and execute remote commands. This abuse of accessibility features allows the malware to deploy fake login overlays on targeted apps, capturing credentials in real time.

Crocodilus has introduced significant technical enhancements to evade detection. Its dropper and payload now employ code packing, XOR encryption, and convoluted code structures, complicating reverse engineering efforts. A notable new feature enables the malware to add fake contacts to the victim’s device, such as “Bank Support,” allowing attackers to impersonate trusted entities during fraudulent calls. This capability can bypass fraud prevention systems that flag unknown numbers. Additionally, Crocodilus uses an automated seed phrase collector to extract cryptocurrency wallet keys, deceiving users with fake warnings to “back up” their keys within 12 hours. Local data parsing further enhances the quality of stolen data, enabling immediate account takeovers.

The malware’s infrastructure suggests a link to the threat actor “sybra,” previously associated with MetaDroid, Hook, and Octo malware, though it remains unclear whether sybra is the developer or an early adopter. Debug messages in the source code indicate a Turkish-speaking author, consistent with early campaign focus. While no specific CVEs are exploited, Crocodilus’s reliance on social engineering and accessibility abuse highlights the limitations of traditional signature-based detection. ThreatFabric notes that its global expansion and polished feature set indicate a well-resourced, adaptive threat actor. PolySwarm analysts consider Crocodilus to be an evolving threat. 

IOCs

PolySwarm has a sample of Crocodilus.

 

6d55d90d021b0980528f56d040e78fa7b85a96f5c244e23f330f24c8e80c1cb2

 

You can use the following CLI command to search for all Crocodilus samples in our portal:

$ polyswarm link list -f Crocodilus

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Banking Trojan, Evolving Threat, Crocodilus, Android Malware, Cryptocurrency Theft, Phishing Campaign, Overlay Attack, Mobile Security, ThreatFabric

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More