Crocodilus¶
Crocodilus is a device-takeover Android banking trojan that ThreatFabric discovered in March 2025 targeting banks and cryptocurrency wallets in Spain and Turkey. Unlike many newcomers that iterate from leaked source code or simple forks, Crocodilus arrived as a fully mature threat with remote control, black screen overlays, an accessibility logger that captures every screen element, and a novel contact list injection technique that plants fake "Bank Support" entries on the victim's phone to enable convincing vishing calls. By June 2025, ThreatFabric reported that Crocodilus had expanded to eight countries and added automated cryptocurrency seed phrase harvesting, confirming its trajectory as one of the fastest-evolving mobile threats of the year.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | March 2025 |
| Status | Active, rapidly expanding globally |
| Type | Banking trojan, device takeover, MaaS |
| Attribution | Unknown |
| Distribution | Proprietary dropper bypassing Android 13+ restrictions |
Origin and Lineage¶
Crocodilus has no known code lineage to existing Android banking trojan families. ThreatFabric's initial analysis emphasized that the malware entered the scene as a fully-fledged threat rather than evolving incrementally from a simpler predecessor or forking from leaked source code. The initial samples contained debug-language artifacts suggesting a Turkish-speaking developer, though attribution remains unconfirmed.
The speed of Crocodilus's feature development and geographic expansion suggests experienced operators. Within three months of initial discovery, ThreatFabric documented significant capability upgrades and expansion from two countries to eight, a pace that exceeds most new families.
Distribution¶
Crocodilus uses a proprietary dropper that bypasses Android 13+ restrictions on sideloaded apps. This is significant because Android 13 introduced tighter controls on granting accessibility service permissions to apps installed outside of official stores. The dropper circumvents these protections, allowing Crocodilus to obtain the accessibility permissions it needs for device takeover.
| Vector | Details |
|---|---|
| Proprietary dropper | Custom-built dropper that bypasses Android 13+ accessibility restrictions |
| Social engineering | Lures disguised as legitimate applications |
| MaaS distribution | Operators distribute through their own channels |
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| Remote control | Full device takeover through accessibility service |
| Black screen overlay | Displays black screen to hide remote operations from the victim |
| Accessibility logger | Captures all screen elements displayed on the device, not just keystrokes |
| Credential theft | Overlay attacks targeting banking and cryptocurrency apps |
| Contact list injection | Adds fake "Bank Support" contact entries to the victim's phone |
| Seed phrase collector | Automated harvesting of cryptocurrency wallet recovery phrases |
| SMS interception | Reads and forwards SMS for OTP capture |
Accessibility Logger¶
Crocodilus goes beyond standard keylogging by implementing a comprehensive accessibility logger that captures every element displayed on screen. This includes text fields, labels, buttons, and any other UI component rendered by the foreground application. The result is a complete record of everything the victim sees and interacts with, providing operators with credentials, account balances, transaction details, and seed phrases without requiring targeted overlay pages for each application.
Contact List Injection¶
The contact list injection technique is novel among Android banking trojans. Crocodilus writes fake entries directly into the victim's contact list, typically adding numbers labeled as "Bank Support" or similar trusted names. When the operators later call the victim from those numbers, the victim's phone displays the spoofed contact name, making the incoming call appear to originate from their bank. This enables highly convincing vishing (voice phishing) calls where the attacker poses as bank support staff and instructs the victim to approve transactions or provide additional credentials.
Cryptocurrency Seed Phrase Harvesting¶
ThreatFabric's June 2025 update documented an automated seed phrase collection mechanism. When the victim opens a cryptocurrency wallet app, Crocodilus displays a social engineering overlay instructing them to "back up" their wallet key by entering their seed phrase. The accessibility logger captures the entered phrase, which is then exfiltrated to the C2 server. This approach avoids the need for OCR-based seed theft from screenshots, instead tricking the victim into entering the phrase directly.
Permissions¶
| Permission | Purpose |
|---|---|
| BIND_ACCESSIBILITY_SERVICE | Core dependency for device takeover, screen logging, and remote control |
| SYSTEM_ALERT_WINDOW | Display overlay injections and black screen during remote sessions |
| READ_SMS | Intercept SMS for OTP capture |
| RECEIVE_SMS | Real-time SMS interception |
| READ_CONTACTS | Read existing contacts before injecting fake entries |
| WRITE_CONTACTS | Inject fake "Bank Support" contact entries |
| READ_PHONE_STATE | Device fingerprinting |
| INTERNET | C2 communication |
| REQUEST_INSTALL_PACKAGES | Dropper installs main payload |
| RECEIVE_BOOT_COMPLETED | Persistence across reboots |
| FOREGROUND_SERVICE | Maintain persistent background operation |
Technical Details¶
Dropper Mechanism¶
The proprietary dropper is a key technical differentiator. Android 13 introduced restrictions that prevent sideloaded apps from requesting accessibility service permissions, which is a critical dependency for device-takeover malware. Crocodilus's dropper bypasses this restriction through an implementation that ThreatFabric described as purpose-built to defeat current platform protections. The specifics of the bypass technique make Crocodilus one of the few families with a working solution for Android 13+ accessibility restrictions at the time of discovery.
Black Screen Overlay¶
During remote access sessions, Crocodilus activates a black screen overlay combined with audio muting. This hides the operator's activity from the victim, who sees only a black screen and assumes the device is locked or idle. The technique is shared with other device-takeover trojans like Octo and Hook, but Crocodilus implements it alongside the full accessibility logger for comprehensive session capture.
C2 Communication¶
Crocodilus communicates with its command-and-control infrastructure over encrypted channels. The C2 delivers overlay injection targets, receives exfiltrated credentials and accessibility logs, and sends remote control commands for device takeover sessions.
C2 Infrastructure¶
| Component | Details |
|---|---|
| Protocol | HTTPS with encrypted payloads |
| Data flow | Bidirectional -- C2 pushes overlay configs and commands; bot sends credentials, accessibility logs, and device info |
| Overlay delivery | Injection HTML served from C2 and rendered in WebView |
| Remote sessions | Real-time command channel for device takeover operations |
| Infrastructure rotation | Observed domain changes between campaigns, suggesting operator-managed infrastructure |
Target Regions¶
| Phase | Period | Regions |
|---|---|---|
| Initial | March 2025 | Spain, Turkey |
| Expansion | By June 2025 | Spain, Turkey, Argentina, Brazil, India, Indonesia, United States, and additional countries |
The initial targeting of Spain and Turkey, combined with Turkish-language debug strings in early samples, suggests the developers had established connections in these markets. The rapid expansion to Latin America, South Asia, and the US within three months demonstrates the operators' ambition and capability to scale operations globally.
Crocodilus also targets cryptocurrency wallets globally, independent of specific banking targets. The seed phrase harvesting capability works against any cryptocurrency wallet application regardless of the victim's country.
Notable Campaigns¶
March 2025: ThreatFabric publishes the initial discovery of Crocodilus targeting Spanish and Turkish banks along with cryptocurrency wallets. The analysis highlights the proprietary dropper bypassing Android 13+ restrictions, the accessibility logger, and the contact list injection technique. ThreatFabric notes that the malware arrived fully mature rather than evolving from a simpler predecessor.
June 2025: ThreatFabric reports rapid evolution, documenting Crocodilus's expansion to eight countries including Argentina, Brazil, India, Indonesia, and the United States. The update reveals the addition of automated cryptocurrency seed phrase harvesting and continued refinement of the core device-takeover capabilities. The pace of development and geographic expansion confirms Crocodilus as a significant emerging threat in the mobile malware landscape.
Related Families¶
Crocodilus shares the device-takeover approach with several established families. Octo pioneered remote access via screen streaming in Android banking trojans, while Hook combined VNC-style remote access with the Cerberus/Ermac lineage. Both use black screen overlays to conceal remote sessions, as does Crocodilus. However, Crocodilus is not derived from any of these families.
The contact list injection technique is unique to Crocodilus among known Android malware families. The closest parallel is Copybara's TOAD (Telephone-Oriented Attack Delivery) approach, which also combines malware with vishing calls, though Copybara relies on the operators initiating calls rather than planting fake contacts on the device.
For cryptocurrency targeting, Crocodilus's social-engineering-driven seed phrase capture contrasts with the OCR-based approaches used by SparkCat and SpyAgent, which scan the device's photo gallery for screenshots of seed phrases.
Evolution¶
| Version | Period | Changes |
|---|---|---|
| Initial | March 2025 | Full device takeover, accessibility logger, contact injection, overlay attacks targeting Spain and Turkey |
| v2 | By June 2025 | Automated crypto seed phrase harvesting, expanded to 8 countries, refined remote access |
The speed of evolution from regional threat to global operation within three months is notable. Most banking trojan families take 6-12 months to achieve comparable geographic expansion. ThreatFabric attributed this to the maturity of the codebase at launch, suggesting the developers had significant prior experience.
Detection¶
| Indicator Type | Details |
|---|---|
| Accessibility service abuse | App requesting accessibility with no legitimate UX justification |
| Contact injection | Unexpected new contacts with "Bank Support" or similar labels appearing without user action |
| Dropper behavior | APK circumventing Android 13+ accessibility restrictions for sideloaded apps |
| Black screen activation | Device appearing locked/idle while background network activity continues |
| Overlay windows | TYPE_APPLICATION_OVERLAY windows rendered over banking and crypto apps |
| Turkish debug strings | Debug artifacts in Turkish language in early samples |