New Android Banking Trojan ‘Crocodilus’ Targets Users in Spain and Turkey

Cybersecurity researchers have uncovered a sophisticated new Android banking malware called Crocodilus, which is primarily targeting users in Spain and Turkey.

  Malware   Mar 31, 2025  Add to Reading List
New Android Banking Trojan ‘Crocodilus’ Targets Users in Spain and Turkey

Cybersecurity researchers have uncovered a sophisticated new Android banking malware called Crocodilus, which is primarily targeting users in Spain and Turkey.

According to ThreatFabric, Crocodilus is not just another clone of existing malware but a highly advanced threat equipped with modern techniques like remote device control, black screen overlays, and accessibility abuse for data harvesting.

How Crocodilus Operates

Crocodilus is designed to facilitate device takeover (DTO), enabling cybercriminals to conduct fraudulent financial transactions. The malware's source code and debug messages suggest that its author is Turkish-speaking.

Disguised as Google Chrome (with the package name “quizzical.washbowl.calamity”), it acts as a dropper that can bypass Android 13+ security restrictions. Once installed, it requests accessibility service permissions, allowing it to:

  • Communicate with a remote command-and-control (C2) server for further instructions.

  • Target specific financial and cryptocurrency apps using HTML overlays to steal credentials.

  • Trick victims into exposing their seed phrases for cryptocurrency wallets under the pretense of urging them to create a backup.

Stealthy Attack Techniques

Crocodilus employs several stealth tactics to avoid detection, including:

  • Black screen overlays to hide malicious activity.

  • Sound muting to prevent users from noticing suspicious actions.

  • Continuous keylogging and screen capture, even targeting authentication apps like Google Authenticator.

Key Features of Crocodilus

This banking Trojan comes packed with advanced remote control capabilities, including:

  • Intercepting SMS messages and contacts to bypass two-factor authentication (2FA).

  • Launching apps remotely and making itself the default SMS manager.

  • Silencing device audio to operate undetected.

  • Updating its C2 settings dynamically for adaptability.

  • Self-removal to cover its tracks when needed.

Rising Threat to Mobile Banking

ThreatFabric warns that Crocodilus represents a major escalation in mobile banking malware sophistication. Unlike most newly discovered trojans, it already boasts mature capabilities typically seen in well-established threats.

Expanding Cybercrime Landscape

Meanwhile, Forcepoint has reported a separate phishing campaign using tax-related lures to spread Grandoreiro, a Windows-based banking trojan targeting users in Mexico, Argentina, and Spain.

With Crocodilus and Grandoreiro both actively targeting financial institutions, mobile and desktop users alike must remain vigilant against phishing scams and suspicious app downloads.