Crocodilus Mobile Malware Evolving Fast, Going Global

In March 2025, the Mobile Threat Intelligence team discovered Crocodilus, a new device-takeover Android banking Trojan entering the threat landscape. The first observed samples were mostly related to test campaigns, with sporadic instances of live campaigns.

Ongoing monitoring of the threat landscape revealed a growing number of campaigns and continuous development of the Trojan. In this report, we cover the latest findings, including:

• New campaigns expanding the target list to European countries and extending overseas to South America.
• Malicious advertising campaigns distributing Crocodilus via social networks.
• An updated feature set, including the creation of new contacts in the victim’s contact list (likely for social engineering), and an automated seed phrase collector.
• Improved obfuscation techniques applied to the dropper and malicious payload.

To read the complete article, see: Crocodilus Mobile Malware: Evolving Fast, Going Global.