The Crocodilus Android banking Trojan has expanded its reach beyond Turkey, now targeting cryptocurrency users and bank customers in countries including Poland, Spain, and Argentina. Security firm ThreatFabric reports that the malware, following a recent upgrade, is capable of spreading through Facebook ads disguised as browser updates. It employs overlay attacks to steal login credentials for banking and crypto applications. The latest variant of Crocodilus can automatically extract cryptocurrency wallet mnemonics and private keys, posing a significant threat to crypto users. Additionally, it can alter victims' address books to insert fake bank support numbers. Attackers are reportedly renting these cryptocurrency theft tools for 100-300 USDT per use, highlighting the growing sophistication and commercialization of cybercrime in the crypto space.