Crocodilus
Crocodilus is an Android banking Trojan that was discovered in March 2025. Crocodilus targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India. Crocodilus has been customized based on the target location. For example, Crocodilus mimicked major Turkish and Spanish banks for users in Turkey and Spain, while users in Poland saw Facebook advertisements that promoted Crocodilus to claim bonus points.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1657 | Financial Theft |
Crocodilus has stolen cryptocurrency wallet details from victim devices.[1][2] |
|
| Mobile | T1453 | Abuse Accessibility Features |
Crocodilus has requested for Accessibility Service to be enabled. Upon approval, Crocodilus has connected to the C2 server to receive instructions, has continuously monitored Accessibility events, and has captured elements, such as wallet keys, displayed on the device screen.[1] |
|
| Mobile | T1626 | .001 | Abuse Elevation Control Mechanism: Device Administrator Permissions |
Crocodilus has the ability to request device administrator permissions.[1] |
| Mobile | T1437 | .001 | Application Layer Protocol: Web Protocols |
Crocodilus has communicated to HTTP C2 nodes.[1] |
| Mobile | T1616 | Call Control |
Crocodilus has the ability to enable call forwarding.[1] |
|
| Mobile | T1407 | Download New Code at Runtime |
Crocodilus has received instructions and applications through communications with C2 while running.[1] |
|
| Mobile | T1646 | Exfiltration Over C2 Channel |
Crocodilus has the ability to send stolen data to C2.[1] |
|
| Mobile | T1628 | .002 | Hide Artifacts: User Evasion |
Crocodilus has displayed a black screen overlay and has muted the sound of the device to conceal all malicious actions.[1] |
| Mobile | T1629 | .001 | Impair Defenses: Prevent Application Removal |
Crocodilus has the ability to prevent application removal.[1] |
| Mobile | T1630 | .001 | Indicator Removal on Host: Uninstall Malicious Application |
Crocodilus has the ability to uninstall itself from the device.[1] |
| Mobile | T1417 | .001 | Input Capture: Keylogging |
Crocodilus has the ability to enable or disable keylogging.[1] |
| .002 | Input Capture: GUI Input Capture |
Crocodilus has used its AccessibilityLogging feature to collect user data, such as private keys of specific cryptocurrency wallets.[2] |
||
| Mobile | T1516 | Input Injection |
Crocodilus has the ability to perform clicks, swipes (left, right, up and down) on the screen and actions such as "Back," "Home," and "Menu."[1] |
|
| Mobile | T1655 | Masquerading |
Crocodilus has masqueraded as legitimate applications to include applications related to financial institutions, cryptocurrency, gambling, browser updates and occasionally geo-specific themes.[2] |
|
| Mobile | T1406 | Obfuscated Files or Information |
Crocodilus has used XOR to encode its payload.[2] |
|
| .002 | Software Packing |
Crocodilus dropper and payload have been packed to hinder detection.[2] |
||
| Mobile | T1636 | .003 | Protected User Data: Contact List |
Crocodilus has the ability to collect the contact list.[1] |
| .004 | Protected User Data: SMS Messages |
Crocodilus has the ability to collect SMS messages.[1] |
||
| Mobile | T1513 | Screen Capture |
Crocodilus has taken a screenshot of the Google Authenticator application using its Accessibility Logging feature. The authentication codes are then sent to the C2 server.[1] |
|
| Mobile | T1582 | SMS Control |
Crocodilus has the ability to send SMS messages to a specified number, to a list of numbers, or to all contacts. Additionally, Crocodilus has the ability to perform Unstructured Supplementary Service Data (USSD) requests.[1] |
|
| Mobile | T1418 | Software Discovery |
Crocodilus has the ability to collect a list of installed applications.[1] |
|
| Mobile | T1512 | Video Capture |
Crocodilus has the ability to start and stop image streaming from the device’s front camera.[1] |
|