Full Report
A growing number of malicious campaigns have leveraged a recently discovered Android banking trojan called Crocodilus to target users in Europe and South America. The malware, according to a new report published by ThreatFabric, has also adopted improved obfuscation techniques to hinder analysis and detection, and includes the ability to create new contacts in the victim's contacts list. "Recent
Analysis Summary
# Tool/Technique: Crocodilus
## Overview
Crocodilus is a recently discovered and actively evolving Android banking trojan targeting users globally, with documented activity in Europe, South America, Turkey, Spain, Poland, Argentina, Brazil, India, Indonesia, and the United States. Its primary goal is to steal financial credentials and cryptocurrency seed phrases.
## Technical Details
- Type: Malware family (Android Banking Trojan)
- Platform: Android
- Capabilities: Overlay attacks to harvest banking credentials, abuse of accessibility services, remote command execution, contact list manipulation, and crypto wallet seed phrase extraction.
- First Seen: Publicly documented in March 2025.
## MITRE ATT&CK Mapping
Given the described functionality, the following mappings are relevant:
- **TA0001 - Initial Access**
- T1407 - Drive-by Compromise (Distribution via malicious sites linked from ads)
- **TA0002 - Execution**
- T1488 - Exploitation of Remote Services (Implied via external command reception)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Enhanced obfuscation techniques used)
- **TA0006 - Credential Access**
- T1429 - Input Capture (Via overlay attacks)
- T1430 - Data from Local System (Harvesting seed phrases from crypto apps)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Implied for sending stolen data)
## Functionality
### Core Capabilities
- **Financial Credential Theft:** Launches overlay attacks against a predefined list of financial applications retrieved from an external server to capture user login details.
- **Cryptocurrency Theft:** Abuses Android Accessibility Service permissions to harvest seed phrases and private keys associated with cryptocurrency wallets.
- **Distribution:** Masquerades as legitimate applications (e.g., Google Chrome, web browser updates, online casino apps) or is delivered via malicious ads (e.g., on Facebook mimicking bank platforms).
### Advanced Features
- **Evasion:** Incorporates various obfuscation techniques to complicate reverse engineering and analysis efforts.
- **Contact Manipulation:** Can execute a remote command ("TRU9MMRHBCRO") to add a specified contact (e.g., disguised as "Bank Support") to the victim's contact list. This is theorized to bypass fraud prevention measures that flag unknown callers or to facilitate social engineering during screen-sharing redirection.
- **Automated Seed Phrase Collection:** Features a parser specifically designed to extract seed phrases and private keys from targeted cryptocurrency wallets.
## Indicators of Compromise
*Note: Specific IoCs like hashes or C2 domains were not provided in the article.*
- File Hashes: [Not specified in the text]
- File Names: Masquerades as legitimate apps (e.g., Google Chrome, banking/e-commerce updates).
- Registry Keys: [Not specified in the text]
- Network Indicators: Communication with an external server to retrieve C2 commands and application lists (Details defanged: Placeholder example: `malicious-server[.]com`).
- Behavioral Indicators:
- Requesting and potentially abusing **Accessibility Service Permissions**.
- Displaying fraudulent overlays while banking/crypto apps are in the foreground.
- Attempting to add a new contact via device commands upon receiving specific instructions.
- Parsing data structures related to cryptocurrency wallet applications.
## Associated Threat Actors
- Affiliated threat actors are actively maintaining and evolving the malware, indicated by continuous feature development and expansion across multiple countries. (Specific named group not provided).
## Detection Methods
- Signature-based detection: Requires up-to-date signatures for known Crocodilus variants and smali/dex code patterns.
- Behavioral detection: Monitoring for the unusual granting of Accessibility Service permissions, initiation of overlay attacks on financial applications, and attempts to programmatically modify the user's contact list.
- YARA rules: Would likely target unique strings or code structures related to the obfuscation layer or the seed phrase parser.
## Mitigation Strategies
- **Prevention:** Only download apps from official stores (Google Play) or trusted sources. Be highly suspicious of unsolicited updates or bonus offers presented via ads.
- **Hardening:** Review and restrict permissions, particularly Accessibility Services, granting them only to necessary, trusted applications.
- **User Education:** Warn users about overlay attacks and the risks associated with granting access to seed phrases/private keys. Educate users on identifying legitimate bank communications versus scam calls initiated via manipulated contact lists.
## Related Tools/Techniques
- Other Android Banking Trojans utilizing Accessibility Services (e.g., FluBot, TeaBot).
- Techniques involving social engineering combined with execution, such as using legitimate-looking contacts for subsequent fraudulent calls.