A new report from ThreatFabric has revealed that the Android banking Trojan known as Crocodilus is increasingly being employed in malicious campaigns that specifically target users in Europe and South America. The malware, which has undergone significant updates to its obfuscation techniques, is designed to evade detection while allowing attackers to create new contacts in the victims’ address books.
Initially documented in March 2025 as a threat primarily to users in Spain and Turkey, Crocodilus has grown in sophistication and geographic scope. It masquerades as legitimate applications, including Google Chrome, to launch overlay attacks that collect credentials from a variety of financial applications that the malware retrieves from an external server.
Current threats include campaigns targeting Polish users with fake advertisements on platforms like Facebook, which prompt victims to download seemingly benign apps in exchange for bonus points. This method directs users to a malicious site that installs the Crocodilus dropper, further perpetuating the malware’s reach beyond its initial territories.
As the malware’s functionality expands, new variants now include features such as adding malicious contacts to victims’ lists upon receiving specific commands. This development may serve to bypass new security protocols from Google designed to inform users of potential scams while utilizing certain apps. With its advancements, Crocodilus has become a global concern, as it not only targets the traditional strongholds in Turkey and Spain but also aims at countries as diverse as Argentina, Brazil, and even the United States.