Crocodilus Android Banking Trojan

Verticals Targeted: Financial

Executive Summary

Crocodilus is a newly identified Android banking Trojan that exhibits advanced device-takeover capabilities and targets financial institutions and cryptocurrency wallets. Already operational in Spain and Turkey, this malware showcases a mature feature set that challenges traditional defenses, marking a significant evolution in mobile threats.

Key Takeaways

• Crocodilus leverages a proprietary dropper to bypass Android 13+ restrictions, enabling stealthy installation.  
• The malware abuses Accessibility Services to deploy overlays, log data, and remotely control devices.  
• Early campaigns targeted banks in Spain and Turkey, alongside popular cryptocurrency wallets.  
• A cunning social engineering tactic tricks users into revealing cryptocurrency seed phrases, amplifying its financial impact.
• PolySwarm analysts consider Crocodilus to be an emerging threat.

What is Crocodilus?

 Crocodilus is a new Android banking trojan identified on the mobile malware threat landscape. Unlike earlier mobile malware that matured over time, Crocodilus arrives fully equipped with a sophisticated arsenal: overlay attacks, keylogging, remote access, and covert device-takeover capabilities. Threat Fabric reported on Crocodilus.

Crocodilus begins its attack with a proprietary dropper, masquerading as legitimate software like Google Chrome. The malware is adept at evading Android 13+ security enhancements. Once installed, it prompts users to enable Accessibility Services, a feature intended for accessibility but frequently exploited by modern malware. With this permission granted, Crocodilus connects to a command-and-control (C2) server, retrieving target app lists and HTML-based overlays tailored for phishing. These overlays mimic legitimate banking and cryptocurrency interfaces, capturing credentials as victims interact with them.

The malware’s capabilities extend far beyond simple credential theft. Its Accessibility Logger monitors all screen events, capturing text inputs, UI elements, and even one-time passwords (OTPs) from apps like Google Authenticator. A standout feature is its remote access toolkit, including a “hidden” mode that deploys black screen overlays and mutes audio to mask operator actions. Targeted screen captures allow real-time theft of OTPs. This level of control facilitates on-device fraud (ODF), allowing operators to execute transactions directly from compromised devices.

Crocodilus also employs a devious social engineering ploy targeting cryptocurrency users. After stealing a wallet PIN via overlays, it displays a fake alert stating: “Back up your wallet key in the settings within 12 hours. Otherwise, the app will be reset…” This manipulates victims into navigating to their seed phrases, which the Accessibility Logger harvests, granting attackers full wallet access. Initial campaigns focused on Spanish and Turkish banks and popular cryptocurrency wallets, but the malware’s dynamic C2 infrastructure suggests broader targeting is imminent. PolySwarm analysts consider Crocodilus to be an emerging threat. 

IOCs

PolySwarm has a sample of Crocodilus.

c5e3edafdfda1ca0f0554802bbe32a8b09e8cc48161ed275b8fec6d74208171f 

You can use the following CLI command to search for all Crocodilus samples in our portal:

$ polyswarm link list -f Crocodilus

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.