First seen in Turkey in March 2025, Crocodilus is now active in countries like Poland, Spain, Brazil, Argentina, India, Indonesia, and the U.S., signaling a global expansion that concerns both banks and crypto holders alike.

Fake Apps, Real Intrusions

In Poland, attackers used Facebook ads to lure users with bogus loyalty app promotions. These ads—targeted at users over 35—redirected victims to malware-hosting sites. Once installed, the Trojan bypassed Android 13 restrictions and deployed its attack mechanisms.

You Might Be Interested In: Elon Musk Talks About the Name of a New Memecoin!

In Spain, Crocodilus disguised itself as a browser update. Once on a device, it overlays fake login pages on top of real banking and crypto apps, harvesting sensitive credentials. It even inserts fake “Bank Support” contacts into user phonebooks to aid social engineering efforts.

Crypto Wallets Under Direct Attack

The most alarming upgrade is Crocodilus’ new ability to automatically extract seed phrases and private keys from infected devices. Equipped with advanced parsing modules, the malware can quickly hijack wallet access with remarkable precision.

To avoid detection, the latest variant uses deep obfuscation techniques like XOR encryption and intentionally complex logic, making reverse engineering a challenge for security teams.

Smaller campaigns have also been seen targeting crypto mining apps and digital banks in Europe—highlighting the malware’s growing focus on crypto users.

You can also freely share your thoughts and comments about the topic in the comment section. Additionally, don’t forget to follow us on our Telegram, YouTube, and Twitter channels for the latest news and updates.

The post Crocodilus Malware Expands to Crypto Wallets appeared first on Coin Engineer.