An increasing number of malicious companies have used the recently discovered Trojan Android Banking called Crocodilus to orient users in Europe and South America.
According to the new report published by OPHERFABRIC, enhanced methods of aggravation have been adopted to interfere with the analysis and detection, and includes the possibility of creating new contacts on the victim’s contacts.
“The last activity reveals several companies aimed at European countries, continuing Turkish companies and expanding in the world in South America,” the Dutch security company – Note.
Crocodilus was the first Publicly documented In March 2025, as an orientation to Android users in Spain and Turkey, masking as legal applications such as Google Chrome. Malicious software is equipped with opportunities for launching attacks on a lining on the financial application list obtained from the external server to the credentials.
It also abuses accessibility resolution for seed capture -related cryptocurrencies, which can then be used to merge the virtual assets that are stored in them.
Recent Opherfabric results demonstrate expansion of malware, as well as constant development with improvements and new features, indicating that operators are actively supported.
It has been found that selected companies aimed at Poland use false ads on Facebook as a distribution vector, mimicking banks and e -commerce platforms. These ads attract the victims to download the app to require alleged bonus scores. Users trying to download the app aimed at the malicious site that provides a drip of Crocodilus.
Other waves of attacks aimed at Spanish and Turkish users have masked themselves to update the web browser and the Internet. Argentina, Brazil, India, Indonesia and the United States are among other malware.
In addition to the inclusion of different methods of aggravation for complication of back engineering efforts, new Crocodilus options have the opportunity to add a specified contact to the victim’s contacts after receiving the Tru9mrhbcro command.
Suspected that this feature is designed as a countermer New security protection What Google has introduced in Android, which warns users about possible scams when launching bank applications during a screen exchange session with unknown contacts.
“We believe that the intention is to add a phone number under a convincing name, such as” bank support “, allowing the attacker to call the victim, being legal. It can also bypass the prevention of fraud that the flags are unknown,” the operfabric said.
Another new feature is an automated seminal phrase collection that uses an analyzer for seed phrases and private keys from cryptocurrencies.
“The latest companies involving the Crocodilus Android Android Trojan signal concerning the evolution both in the technical sophistication of malicious software and its operational sphere,” the company said. “In particular, his companies are no longer limited to regional; malicious software has expanded its reach to the new geographical fields, emphasizing its transition to a truly global threat.”