Crocodilus: Android (and wallet) hunting

A new apex predator has emerged from the murky waters of the Android malware ecosystem. Crocodilus, a highly advanced banking trojan, is not a clone or unfinished experiment—it enters the scene as a mature and fully operational threat, equipped with a broad arsenal of techniques designed to deceive, hijack, and exploit.

First identified by ThreatFabric, Crocodilus appears to primarily target users in Spain and Turkey, though its modular nature and evasive capabilities suggest it could spread far beyond. What sets it apart is its deep integration with Android’s accessibility services, combined with social engineering and a stealth approach worthy of the most sophisticated malware families.

From the moment it lands on a device—masquerading as a fake Google Chrome app—Crocodilus operates with one goal in mind: complete device takeover and financial exfiltration.

Banking and crypto users in the crocodile‘s menu

Unlike traditional banking trojans, Crocodilus doesn’t limit itself to harvesting usernames and passwords. It seeks privileged control, using the accessibility API to log every interaction on the screen. It captures banking credentials, 2FA tokens, and even cryptographic seed phrases—the keys to entire wallets.

Victims are lured into granting permissions under the guise of a trustworthy Chrome browser. Once granted, Crocodilus connects to its command-and-control (C2) infrastructure and retrieves configuration data, including a list of financial apps to target and HTML overlays for impersonating them.

One of its most cunning tactics is deployed against cryptocurrency wallet users. Instead of mimicking a login page, it presents a fake alert urging victims to “back up” their seed phrase within a countdown window. The sense of urgency nudges users into manually navigating to their seed phrase, which the malware then captures silently. This tactic ensures attackers can fully control the wallet and drain its assets—often without immediate detection.

The malware also captures screen content from applications such as Google Authenticator, giving it access to OTPs and further compromising accounts that rely on 2FA security.

Reptilian hunt

Once active, Crocodilus becomes a persistent and invisible threat. It monitors app launches, tracks accessibility events, and deploys screen overlays to obscure malicious activity. Its key weapon: the black overlay screen, which masks the screen while operations are performed in the background—muting sound and eliminating visual cues.

Beyond its surveillance abilities, Crocodilus can execute a wide range of remote commands, giving attackers near-total control:

• Launch or terminate specific applications

• Request Device Admin privileges to entrench control

• Send SMS to select or all contacts

• Retrieve SMS and contact lists

• Push fake system notifications

• Enable or disable sound and keylogging

• Monitor clipboard and screen content

• Set itself as the default SMS manager

• Update C2 configurations dynamically

• Self-delete to erase forensic traces

These capabilities make Crocodilus not only a credential stealer, but a multi-purpose toolkit for espionage, fraud, and persistent access.

Defense Measures: See You Later, Alligator

With its comprehensive control and deceptive overlays, Crocodilus represents the next generation of mobile malware. Defending against it requires a layered security approach for both individuals and organizations:

• Avoid sideloading apps from unofficial sources and verify publishers—even familiar ones like Chrome.

• Restrict Accessibility Services permissions and conduct routine audits of apps that have access.

• Disable install-from-unknown-sources across enterprise-managed mobile devices.

• Deploy Mobile Threat Defense (MTD) and Endpoint Detection and Response (EDR) solutions with behavioral anomaly detection.

• Monitor app behavior in real time, particularly for suspicious overlays, permission changes, or interactions with financial applications.

For organizations with mobile-centric operations, educating employees and implementing zero-trust mobile device policies are critical to reducing risk.

Crocodilus is a landmark evolution in Android malware. It is stealthy, sophisticated, and surgical in its execution. With capabilities that blur the line between device management and malware exploitation, it highlights the growing weaponization of accessibility features in mobile ecosystems.

Its focus on Spain and Turkey may only be the beginning. As it spreads, Crocodilus underscores a chilling truth: the days of simplistic banking trojans are over. We are now dealing with fully-fledged mobile cyberweapons capable of breaching personal finances, organizational security, and even digital sovereignty.

Staying safe requires more than just awareness—it requires constant vigilance, technical enforcement, and collective defense. The hunt is on.

https://thehackernews.com/2025/03/new-android-trojan-crocodilus-abuses.html?m=1