Introduction In March 2025, ThreatFabric’s Mobile Threat Intelligence team identified a new Android banking Trojan named Crocodilus. Initially detected in test campaigns, Crocodilus has rapidly evolved, expanding its reach across Europe and South America. This malware exhibits advanced capabilities, including device takeover, credential harvesting, and sophisticated obfuscation techniques, posing significant risks to financial institutions and individual users alike.(threatfabric.com, threatfabric.com) Global Expansion and Distribution Tactics Crocodilus has transitioned from targeting specific regions to launching global campaigns. Notably, a campaign in Poland utilized Facebook Ads to mimic banking and e-commerce platforms, enticing users with promises of bonus points. These ads, although short-lived, reached thousands, primarily targeting users over 35—a demographic likely to possess substantial financial assets. Upon interaction, users were redirected to malicious sites that delivered the Crocodilus dropper, capable of bypassing Android 13+ restrictions.(threatfabric.com) In Turkey, Crocodilus disguised itself as an online casino app, overlaying legitimate financial apps with fake login pages to harvest credentials. Similarly, in Spain, it masqueraded as a browser update, targeting nearly all Spanish banks. Smaller campaigns have also been observed in Argentina, Brazil, the US, Indonesia, and India, indicating a strategic move towards a global presence.(threatfabric.com) Technical Advancements and Obfuscation Techniques Crocodilus has undergone significant technical enhancements to evade detection and analysis:(threatfabric.com)

• Code Packing and XOR Encryption: Both the dropper and payload are packed and encrypted using XOR techniques, complicating static analysis.(threatfabric.com)
• Convoluted Code Structures: The malware employs entangled and obfuscated code to hinder reverse engineering efforts.(threatfabric.com)
• Accessibility Logging: It leverages Android’s Accessibility Services to monitor user interactions, capturing sensitive information displayed on the screen.(threatfabric.com)

Notable Features and Functionalities Contact List Manipulation Upon receiving the command “TRU9MMRHBCRO,” Crocodilus adds specified contacts to the victim’s device. This feature likely aims to facilitate social engineering attacks by adding entries like “Bank Support,” making fraudulent communications appear legitimate.(threatfabric.com) Seed Phrase Extraction Crocodilus targets cryptocurrency wallet applications, extracting seed phrases and private keys through enhanced parsing mechanisms. By processing data on the device using regular expressions, it efficiently captures and transmits high-value information to its command-and-control servers.(threatfabric.com) Indicators of Compromise (IOCs) Security professionals should be vigilant for the following IOCs associated with Crocodilus:(threatfabric.com)

• App Name: IKO
• Package Name: nuttiness.pamperer.cosmetics(threatfabric.com)
• SHA256 Hash: 6d55d90d021b0980528f56d040e78fa7b85a96f5c244e23f330f24c8e80c1cb2(threatfabric.com)
• Command-and-Control Server: rentvillcr[.]homes(threatfabric.com)
• App Name: ETH Mining app(threatfabric.com)
• Package Name: apron.confusing(threatfabric.com)
• SHA256 Hash: fb046b7d0e385ba7ad15b766086cd48b4b099e612d8dd0a460da2385dd31e09e(threatfabric.com)
• Command-and-Control Server: rentvillcr[.]online(threatfabric.com)

Recommendations for Mitigation To counter the threats posed by Crocodilus, the following measures are recommended:

1. Enhanced User Education: Educate users about the risks of downloading apps from unverified sources and the importance of scrutinizing app permissions.
2. Implement Behavioral Analysis Tools: Deploy security solutions that monitor for anomalous behaviors indicative of malware activity, such as unauthorized access to Accessibility Services.
3. Regularly Update Security Protocols: Ensure that all devices and applications are updated with the latest security patches to mitigate vulnerabilities exploited by malware.
4. Monitor for IOCs: Continuously monitor networks and devices for known IOCs associated with Crocodilus to enable prompt detection and response.(threatfabric.com)
5. Restrict Accessibility Service Permissions: Limit the use of Accessibility Services to trusted applications to prevent exploitation by malicious software.(threatfabric.com)

Conclusion Crocodilus represents a significant evolution in mobile malware, combining advanced obfuscation techniques with strategic global distribution. Its ability to manipulate device functionalities and harvest sensitive information underscores the need for proactive security measures. By staying informed and implementing robust security protocols, organizations and individuals can mitigate the risks posed by such sophisticated threats.(threatfabric.com, threatfabric.com) References

• ThreatFabric. (2025, June 3). Crocodilus Mobile Malware: Evolving Fast, Going Global. Retrieved from https://www.threatfabric.com/blogs/crocodilus-mobile-malware-evolving-fast-going-global
• ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved from https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices(threatfabric.com)