Crocodilus is a recently identified Android banking Trojan first discovered in March 2025. Initially targeting users in Turkey, it has rapidly expanded its reach to European countries such as Poland and Spain, as well as regions in South America. The malware is primarily distributed via malvertising campaigns on social networks, where it masquerades as legitimate banking and e-commerce applications to deceive users into installing it. Technically, Crocodilus employs advanced obfuscation techniques (MITRE ATT&CK T1027 and T1027.002) to evade detection by security solutions, making it difficult to identify and remove. It has evolved to include capabilities such as adding contacts to the victim's device, which can facilitate further social engineering or propagation within a victim's network. Additionally, it features an enhanced seed phrase collector designed to steal cryptocurrency wallet credentials, significantly increasing the potential financial impact on victims. The malware targets both traditional banking credentials and cryptocurrency assets, indicating a dual-purpose threat. Indicators of compromise include specific file hashes and malicious domains (rentvillcr.homes, rentvillcr.online) linked to its infrastructure. The campaign's rapid expansion and technical sophistication suggest a well-resourced and organized threat actor capable of maintaining and evolving the malware quickly, posing a growing risk to users and organizations relying on Android devices for financial transactions and cryptocurrency management.

For European organizations, Crocodilus represents a significant threat, especially to employees and customers who use Android devices for banking and cryptocurrency activities. The malware's ability to steal banking credentials and cryptocurrency seed phrases can lead to direct financial losses, unauthorized transactions, and potential compromise of corporate accounts. The capability to add contacts to infected devices may enable lateral social engineering attacks within organizations, increasing the risk of broader compromise and insider threats. Sectors with high reliance on mobile banking or cryptocurrency, such as financial services, fintech, and e-commerce, face elevated risks. The advanced obfuscation techniques complicate detection and response efforts, potentially allowing the malware to persist undetected for extended periods. The use of social networks for distribution can facilitate rapid spread among users, amplifying the scale of impact. Theft of cryptocurrency credentials also introduces reputational risks and regulatory compliance challenges under European data protection laws (e.g., GDPR) and financial regulations. Overall, Crocodilus threatens the confidentiality and integrity of financial data and the availability of user accounts, with a medium severity rating but potential for escalation if the malware evolves further or integrates additional capabilities.

1. Deploy advanced Mobile Threat Defense (MTD) solutions capable of detecting obfuscated malware and behaviors specific to banking Trojans, including heuristic and behavioral analysis. 2. Enforce strict application installation policies on corporate Android devices, restricting installations to trusted sources such as the Google Play Store and vetted enterprise app stores, and block sideloading. 3. Conduct targeted user awareness training emphasizing the risks of malvertising and social engineering via social networks, instructing users to verify app authenticity before installation. 4. Implement network-level protections such as DNS filtering and web proxies to block access to known malicious domains associated with Crocodilus infrastructure (e.g., rentvillcr.homes, rentvillcr.online). 5. Encourage the use of hardware-based multi-factor authentication (MFA) for banking and cryptocurrency wallet access to reduce the impact of credential theft. 6. Monitor device contact lists and alert on unusual changes or additions as potential indicators of compromise. 7. Maintain up-to-date mobile operating systems and security software to mitigate exploitation of any underlying vulnerabilities. 8. For organizations managing cryptocurrency wallets, implement cold storage solutions and avoid storing or exposing seed phrases on mobile devices. 9. Collaborate with threat intelligence providers to stay informed about emerging Crocodilus variants and related indicators of compromise. 10. Develop and regularly test incident response procedures specifically addressing mobile malware infections to enable rapid containment and remediation.