A new Android banking trojan known as Crocodilus has rapidly evolved since its discovery in March 2025, expanding from initial campaigns in Turkey to now targeting users globally, including Europe, South America, the United States, and parts of Asia. According to Threat Fabric, the malware is distributed primarily through malicious ads on social media platforms such as Facebook, often posing as fake browser updates or banking and e-commerce apps. Notably, campaigns have targeted Polish and Spanish users. Crocodilus uses advanced evasion techniques such as code-packing, XOR encryption, and a custom dropper that bypasses Android 13+ Restricted Settings. Once installed, it hijacks accessibility features for remote access and control, monitors app launches, and deploys overlay attacks to steal login credentials from banking and cryptocurrency apps. The malware can also capture one-time passwords from Google Authenticator. A notable feature of Crocodilus is its ability to add fake contacts to the victim's phone, including names like 'Assistance bancaire' or 'Bank Support.' This enables attackers to conduct vishing scams that appear to come from trusted sources, potentially bypassing fraud detection systems. The malware's overlay attacks and manipulation of the contact list increase the risk of users divulging sensitive information. Recent versions of Crocodilus have improved the collection of cryptocurrency wallet details, including the extraction of seed phrases and private keys. The malware's global expansion, use of Facebook ad campaigns, and rapid evolution underscore ongoing risks to both individual users and financial institutions.