Beware of This Contact on Your Phone, It Might Be Malware

The dangerous Android malware known as Crocodilus spreads rapidly while gaining increased power.

The banking Trojan known as Crocodilus first appeared in March 2025 when it targeted Turkish users. Security experts at Threat Fabric now confirm that the malware attacks users throughout Europe and South America.

The malware uses fake applications to deceive users into downloading them by presenting counterfeit versions of banking services, and online shopping platforms. Users in Poland received Facebook advertisements that promised bonus points as part of a phishing scam. The analyst revealed that these advertisements operated for only 1–2 hours, yet reached more than 1,000 viewers.

The fake website activates after users click on the advertisement, which leads to malware installation. The malware gains control of your phone to show fake banking app login screens, which enable thieves to steal your sensitive information.

The malware continues to target Turkish users, but its reach now extends to Spain, Brazil, Argentina, and the United States. It presented itself as a browser update to Spanish users through a deceptive campaign.

The latest versions of the Crocodilus malware have introduced concerning capabilities. It adds contacts to your phone under fake names like “Bank Support,” which enables scammers to deceive you through phone calls. Analysts believe the attackers plan to create a phone number with an authentic-sounding name.

The malware now possesses enhanced capabilities to steal cryptocurrency. It uses screen analysis to extract secret recovery phrases (seed phrases), which enables hackers to control your crypto wallets.

The threat of Crocodilus continues to evolve, as it has become more adept at evading antivirus detection and deceiving users, according to cybersecurity experts. These experts label the threat a worldwide menace, while advising users to exercise caution when installing apps from advertisements or unverified websites.