Recently, a new Android malware called Crocodilus has been spreading through Facebook ads, disguised as banking apps. This malware adds fake contacts to users’ phones and steals financial data, using advanced screen monitoring techniques. ThreatFabric cybersecurity researchers first detected this malware in late March 2025. The malware has been spotted in countries like Poland, Spain, the United States, and Turkey, targeting users of major banks and cryptocurrency platforms.
Crocodilus has the ability to add fake contacts to a user’s phone, allowing attackers to impersonate bank support or other trusted entities. This makes the malware more difficult to spot, as the fake contacts often appear legitimate. In addition, the latest version of the malware includes advanced screen monitoring and seed phrase collectors, making it particularly dangerous for cryptocurrency users. The malware can monitor users’ screens and use pattern recognition to detect and extract sensitive data, such as private keys or recovery phrases, before sending it to the attacker.
ThreatFabric has highlighted that Crocodilus has extensive data theft and remote control capabilities. The malware initially spread through Facebook ads that appeared normal, but once clicked, it began installing itself on users’ devices. Some of these ads mimicked banking and e-commerce apps in Poland, promising users free points in exchange for downloading an app. The ad was only live for a few hours, but it still reached thousands of users, most of whom were over 35, a group more likely to have money in the bank.
Smaller but growing campaigns have also been reported in the United States, where Crocodilus disguised itself as crypto wallet tools, mining apps and financial services. These fake apps are often distributed through social media ads or phishing links, targeting Android users who are less likely to question a