125/68 Tuesday, April 1, 2025
Cybersecurity researchers at ThreatFabric have discovered a new Android banking trojan named Crocodilus, which is actively targeting users in Spain and Turkey. Designed to take full control of infected devices, the malware leverages advanced techniques such as remote access, screen recording, and overlay attacks to steal user credentials. Crocodilus disguises itself as a legitimate Google Chrome app and uses non-suspicious package names to evade detection. Once installed and granted accessibility permissions, it connects to a command-and-control server to receive instructions for data theft.
In addition to targeting banking information, Crocodilus is capable of stealing seed phrases for cryptocurrency wallets by using social engineering tactics—tricking victims into entering sensitive recovery data under the guise of account protection. The malware can also mute device sounds, display a black screen, and uninstall itself to avoid detection. It further exfiltrates contact lists, sends SMS messages, and pushes fake notifications to lure new victims. According to ThreatFabric, Crocodilus demonstrates a high level of sophistication and poses a severe threat to mobile users.
Experts warn that mobile malware threats are evolving rapidly, and Crocodilus serves as a clear example of malware capable of full device compromise. Android users are advised to avoid installing apps from untrusted sources, limit unnecessary access permissions, and regularly update their device security. This discovery follows closely after Forcepoint reported a phishing campaign involving the Grandoreiro banking trojan targeting Windows users in Latin America—highlighting the growing scale and reach of cyber-financial threats.
Source https://thehackernews.com/2025/03/new-android-trojan-crocodilus-abuses.html
