4 days ago
Android banking trojan Crocodilus has launched caller campaigns targeting crypto users and banking customers crossed Europe and South America.
First detected successful March 2025, aboriginal Crocodilus samples were mostly constricted to Turkey, wherever the malware posed arsenic online casino apps oregon spoofed slope apps to bargain login credentials.
However, caller campaigns amusement the Trojan expanding its reach, present hitting targets successful Poland, Spain, Argentina, Brazil, Indonesia, India and the US, according to caller findings from ThreatFabric’s Mobile Threat Intelligence (MTI) team.
A run targeting Polish users tapped Facebook Ads to beforehand fake loyalty apps. Clicking the advertisement redirected users to malicious sites, delivering a Crocodilus dropper, which bypasses Android 13+ restrictions.
Facebook transparency information revealed that these ads reached thousands of users successful conscionable 1 to 2 hours, with a absorption connected audiences implicit 35.
Crocodilus malware is going global. Source: ThreatFabricRelated: Microsoft takes ineligible enactment against infostealer Lumma
Crocodilus targets banking and crypto apps
Once installed, Crocodilus overlays fake login pages connected apical of morganatic banking and crypto apps. It masquerades arsenic a browser update successful Spain, targeting astir each large banks.
Beyond geographic expansion, Crocodilus has added caller capabilities. One notable upgrade is the quality to modify infected devices’ interaction lists, enabling attackers to insert telephone numbers labeled arsenic “Bank Support,” which could beryllium utilized for societal engineering attacks.
Another cardinal enhancement is an automated effect operation collector aimed astatine cryptocurrency wallets. The Crocodilus malware tin present extract effect phrases and backstage keys with greater precision, feeding attackers pre-processed information for accelerated relationship takeovers.
Meanwhile, developers person strengthened Crocodilus’ defenses done deeper obfuscation. The latest variant features packed code, further XOR encryption, and intentionally convoluted logic to defy reverse engineering.
MTI analysts besides observed smaller campaigns targeting cryptocurrency mining apps and European integer banks amid Crocodilus’ increasing absorption connected crypto.
“Just similar its predecessor, the caller variant of Crocodilus pays a batch of attraction to cryptocurrency wallet apps,” the study said. “This variant was equipped with an further parser, helping to extract effect phrases and backstage keys of circumstantial wallets.”
Source: ThreatFabricRelated: COLDRIVER utilizing caller malware to bargain from Western targets — Google
Crypto drainers sold arsenic malware
In an April 22 report, crypto forensics and compliance steadfast AMLBot revealed that crypto drainers, malware designed to bargain cryptocurrency, person go easier to entree arsenic the ecosystem evolves into a software-as-a-service business model.
The study revealed that malware spreaders tin rent a drainer for arsenic small arsenic 100 to 300 USDt (USDT).
On May 19, it was revealed that Chinese printer shaper Procolored distributed Bitcoin-stealing malware alongside its authoritative drivers. The institution reportedly utilized USB drivers to administer malware-ridden drivers and uploaded the compromised bundle to unreality retention for planetary download.
Magazine: Move to Portugal to go a crypto integer nomad — Everybody other is
English (US) 