Crocodilus - dangerous new banking trojan attacks Android: what you need to know

Technology/April 03, 2025

A new player has emerged in the world of cyber threats - Crocodilus, an advanced banking trojan that attacks Android devices. Experts at ThreatFabric warn that the threat is spreading mainly in Spain and Turkey, but could reach users in other countries - including Poland - at any time.

How does Crocodilus work?

Crocodilus begins its activities by hiding in a so-called “dropper” - a malicious application that looks innocent on the surface, such as:

system update,
fake banking application,
battery management tool,
vPN application from a suspicious source.

Once installed, the program asks the user to grant access to Accessibility Services (Accessibility Services). If the user agrees - Crocodilus gains almost full control over the device.

What data is Crocodilus stealing?

Crocodilus is no ordinary virus. It is a digital thief with very broad capabilities. It can steal:

Mobile banking login data - through overlays (so-called “overlays”) that look identical to the original login screens.
Passwords and payment card data - entered manually or automatically.
SMS authentication codes - the Trojan can read the content of SMS messages, including those used for two-factor authentication.
Cryptocurrency wallets - impersonating apps such as Trust Wallet, MetaMask or Binance, displays fake messages and forces the seed phrase (12/24 words).
Personal data - such as phone number, contacts, email, location, and even device data (IMEI, model).
All keystrokes (keylogger) - everything you type is recorded.

Why is it so dangerous?

Crocodilus can run in the background, displaying a black screen or muting sound so that the user doesn't notice anything suspicious. Cybercriminals can remotely control the phone, launch apps, go through banking security and withdraw money - all as if the phone's owner were doing it.

What apps might be suspicious?

The Trojan can be hidden in apps downloaded from outside Google Play - so-called. unknown sources (“sideloaded apps”). Examples:

Applications that offer “memory cleanup” or “system acceleration.”
Fake versions of popular programs (e.g. WhatsApp Plus, modded YouTubes).
Pirate games or premium apps for free.
Fake software updates.
Ads from suspicious websites encouraging people to download apps.

How to protect yourself?

Don't install apps from unknown sources - stick to Google Play, and be careful there too.
Don't give applications unknown permissions, especially access to accessibility services.
Use reputable antivirus software (e.g. Bitdefender, ESET, Avast).
Update your system and applications regularly, as updates often include security patches.
Check the permissions of the applications you already have installed.

Crocodilus is a modern and sophisticated Trojan that can effectively infiltrate your phone and take control of it. With its advanced features and impersonation of legitimate applications, it can go unnoticed until.... your savings disappear.

If something seems too good to be true - it's probably Crocodilus in disguise.