{"description": "Mobile techniques used by Crocodilus, ATT&CK software S9004 (v1.0)", "name": "Crocodilus (S9004)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1453", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has requested for Accessibility Service to be enabled. Upon approval, [Crocodilus](https://attack.mitre.org/software/S9004) has connected to the C2 server to receive instructions, has continuously monitored Accessibility events, and has captured elements, such as wallet keys, displayed on the device screen.(Citation: ThreatFabric_Crocodilus_March2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1626", "showSubtechniques": true}, {"techniqueID": "T1626.001", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to request device administrator permissions.(Citation: ThreatFabric_Crocodilus_March2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has communicated to HTTP C2 nodes.(Citation: ThreatFabric_Crocodilus_March2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1616", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to enable call forwarding.(Citation: ThreatFabric_Crocodilus_March2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1407", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has received instructions and applications through communications with C2 while running.(Citation: ThreatFabric_Crocodilus_March2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1646", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to send stolen data to C2.(Citation: ThreatFabric_Crocodilus_March2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1628", "showSubtechniques": true}, {"techniqueID": "T1628.002", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has displayed a black screen overlay and has muted the sound of the device to conceal all malicious actions.(Citation: ThreatFabric_Crocodilus_March2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1629", "showSubtechniques": true}, {"techniqueID": "T1629.001", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to prevent application removal.(Citation: ThreatFabric_Crocodilus_March2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1630", "showSubtechniques": true}, {"techniqueID": "T1630.001", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to uninstall itself from the device.(Citation: ThreatFabric_Crocodilus_March2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417", "showSubtechniques": true}, {"techniqueID": "T1417.001", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to enable or disable keylogging.(Citation: ThreatFabric_Crocodilus_March2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417.002", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has used its AccessibilityLogging feature to collect user data, such as private keys of specific cryptocurrency wallets.(Citation: ThreatFabric_Crocodilus_June2025)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1516", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to perform clicks, swipes (left, right, up and down) on the screen and actions such as \u201cBack,\u201d \u201cHome,\u201d and \u201cMenu.\u201d(Citation: ThreatFabric_Crocodilus_March2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1655", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has masqueraded as legitimate applications to include applications related to financial institutions, cryptocurrency, gambling, browser updates and occasionally geo-specific themes.(Citation: ThreatFabric_Crocodilus_June2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1406", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has used XOR to encode its payload.(Citation: ThreatFabric_Crocodilus_June2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1406.002", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) dropper and payload have been packed to hinder detection.(Citation: ThreatFabric_Crocodilus_June2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.003", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to collect the contact list.(Citation: ThreatFabric_Crocodilus_March2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to collect SMS messages.(Citation: ThreatFabric_Crocodilus_March2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1513", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has taken a screenshot of the Google Authenticator application using its Accessibility Logging feature. The authentication codes are then sent to the C2 server.(Citation: ThreatFabric_Crocodilus_March2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1582", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to send SMS messages to a specified number, to a list of numbers, or to all contacts. Additionally, [Crocodilus](https://attack.mitre.org/software/S9004) has the ability to perform Unstructured Supplementary Service Data (USSD) requests.(Citation: ThreatFabric_Crocodilus_March2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1418", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to collect a list of installed applications.(Citation: ThreatFabric_Crocodilus_March2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1512", "comment": "[Crocodilus](https://attack.mitre.org/software/S9004) has the ability to start and stop image streaming from the device\u2019s front camera.(Citation: ThreatFabric_Crocodilus_March2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Crocodilus", "color": "#66b1ff"}]}