![[The AI Show Episode 151]: Anthropic CEO: AI Will Destroy 50% of Entry-Level Jobs, Veo 3’s Scary Lifelike Videos, Meta Aims to Fully Automate Ads & Perplexity’s Burning Cash](https://www.marketingaiinstitute.com/hubfs/ep%20151%20cover.png)
![[DEALS] FileJump 2TB Cloud Storage: Lifetime Subscription (85% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![Apple Shares Official Trailer for 'The Wild Ones' [Video]](https://www.iclarified.com/images/news/97515/97515/97515-640.jpg)
New Crocodilus Malware That Gain Complete Control of Android Device
A sophisticated new Android banking Trojan named Crocodilus has emerged as a significant global threat, demonstrating advanced device-takeover capabilities that grant cybercriminals unprecedented control over infected smartphones. First discovered in March 2025, this malware has rapidly evolved from localized test campaigns to a worldwide operation targeting financial institutions and cryptocurrency platforms across multiple continents. The […] The post New Crocodilus Malware That Gain Complete Control of Android Device appeared first on Cyber Security News.
A sophisticated new Android banking Trojan named Crocodilus has emerged as a significant global threat, demonstrating advanced device-takeover capabilities that grant cybercriminals unprecedented control over infected smartphones.
First discovered in March 2025, this malware has rapidly evolved from localized test campaigns to a worldwide operation targeting financial institutions and cryptocurrency platforms across multiple continents.
The malware initially appeared with campaigns primarily focused on Turkey, but recent intelligence reveals an aggressive expansion strategy that now encompasses European countries including Poland and Spain, while extending its reach to South American markets.
Crocodilus employs a particularly insidious distribution method through malicious Facebook advertisements that masquerade as legitimate banking and e-commerce applications, promising users bonus rewards and promotional offers to entice downloads.
Threat Fabric analysts noted that these fraudulent advertisements operated with remarkable stealth, remaining active for only one to two hours while achieving over a thousand impressions each.
The campaigns specifically targeted users over 35 years old, strategically focusing on demographics with higher disposable income and greater likelihood of engaging with financial services.
Upon clicking download links, victims are redirected to malicious websites that deliver the Crocodilus dropper, which has been engineered to bypass Android 13+ security restrictions.
.webp)
The malware’s global ambitions are evident in its comprehensive target lists, which now include financial applications from Argentina, Brazil, Spain, the United States, Indonesia, and India.
This geographical expansion coincides with increasingly sophisticated masquerading techniques, including impersonating cryptocurrency mining applications and digital banking services across European markets.
.webp)
What distinguishes Crocodilus from conventional banking malware is its evolving feature set that extends far beyond traditional credential theft, representing a new paradigm in mobile device compromise.
Advanced Contact Manipulation and Cryptocurrency Targeting
The latest Crocodilus variant introduces a particularly concerning capability that allows attackers to manipulate victim contact lists through a specific command structure.
When the malware receives the command “TRU9MMRHBCRO”, it automatically adds specified contacts to the infected device’s address book.
This functionality enables cybercriminals to insert fraudulent entries such as “Bank Support” with attacker-controlled phone numbers, creating a facade of legitimacy for subsequent social engineering attacks while potentially bypassing fraud prevention systems that flag unknown callers.
The malware’s cryptocurrency targeting capabilities have also received significant enhancements through an improved seed phrase collector that leverages Android’s AccessibilityLogging feature.
The system employs sophisticated regular expressions to extract sensitive data:-
this.regex1 = "[a-fA-F0-9]{64}";
this.regex2 = "^(\\d+)\\.?\\s*(\\w+)$";
this.regex3 = "\\d+";
this.regex4 = "\\w+";
this.regex5 = "^\\d+\\.?\\s*\\w+$";These patterns enable automated extraction of private keys and seed phrases from cryptocurrency wallet applications, with the malware performing real-time preprocessing of captured data to deliver high-quality intelligence ready for immediate fraudulent use.
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
The post New Crocodilus Malware That Gain Complete Control of Android Device appeared first on Cyber Security News.
.webp?#)
