{
	"id": "76cc7efe-38e7-42d2-817b-c3604d0a97cf",
	"created_at": "2026-04-06T00:21:32.826038Z",
	"updated_at": "2026-04-10T03:20:30.009195Z",
	"deleted_at": null,
	"sha1_hash": "d45deff273c4dd0490494ce159d72c001f12674f",
	"title": "Crocodilus Mobile Malware: Evolving Fast, Going Global",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 959885,
	"plain_text": "Crocodilus Mobile Malware: Evolving Fast, Going Global\r\nPublished: 2024-10-01 · Archived: 2026-04-05 15:35:09 UTC\r\nIntroduction\r\nIn March 2025, the Mobile Threat Intelligence team discovered Crocodilus, a new device-takeover Android banking Trojan\r\nentering the threat landscape. The first observed samples were mostly related to test campaigns, with sporadic instances of\r\nlive campaigns.\r\nOngoing monitoring of the threat landscape revealed a growing number of campaigns and continuous development of the\r\nTrojan. In this report, we cover the latest findings, including:\r\nNew campaigns expanding the target list to European countries and extending overseas to South America\r\nMalicious advertising campaigns distributing Crocodilus via social networks\r\nAn updated feature set, including the creation of new contacts in the victim’s contact list (likely for social\r\nengineering), and an automated seed phrase collector\r\nImproved obfuscation techniques applied to the dropper and malicious payload\r\nCroco-bonus - Get Free Malware!\r\nInitial Crocodilus samples showed evidence of operations in Europe, although early campaigns largely targeted Turkey.\r\nRecent activity reveals multiple campaigns now targeting European countries while continuing Turkish campaigns and\r\nexpanding globally to South America.\r\nOne notable campaign that caught our analysts' attention was targeting users in Poland. Mimicking the apps of banks and e-commerce platforms, the malware was promoted via Facebook Ads. These ads encouraged users to download an app to\r\nclaim bonus points. One of the identified ads is shown below:\r\nMalicious advertisement leading to Crocodilus dropper download\r\nhttps://www.threatfabric.com/blogs/crocodilus-mobile-malware-evolving-fast-going-global\r\nPage 1 of 4\n\nAccording to Facebook’s ad transparency data, these advertisements were live for just 1–2 hours, but each was shown more\r\nthan a thousand times. The majority of viewers were over 35, indicating a focus on a solvent audience.\r\nUpon clicking the \"Download\" button, users were redirected to a malicious site that delivered the Crocodilus dropper,\r\ncapable of bypassing Android 13+ restrictions.\r\nGoing Global - While Keeping It's roots\r\nCrocodilus continues to run campaigns in Turkey, targeting users of major banks and cryptocurrency platforms. One such\r\ncampaign disguised itself as an online casino. We suspect the distribution method remained malicious ads. Once installed,\r\nCrocodilus actively monitors the launch of Turkish financial apps, overlaying them with fake login pages.\r\nAnother campaign is targeting Spanish users, distributing Crocodilus disguised as a browser update. The target list includes\r\nnearly all Spanish banks, clearly showing a regional focus.\r\nIn addition to these targeted efforts, MTI has also observed smaller campaigns with very \"global\" target lists, involving apps\r\nfrom Argentina, Brazil, Spain, the US, Indonesia, and India.\r\nInterestingly, the masquerading used in this campaign include cryptocurrency mining and digital banks in Europe.\r\nNew Developments\r\nThe latest campaigns not only broaden Crocodilus’ geographic scope but also introduce enhancements to both the dropper\r\nand payload components.\r\nMalware developers have worked to improve obfuscation techniques in an attempt to hinder analysis and detection. These\r\ninclude:\r\nCode packing for both the dropper and payload\r\nAdditional XOR encryption of the payload (Crocodilus) to conceal it during analysis\r\nEntangled, convoluted code to complicate reverse engineering\r\nIn addition to improved obfuscation, the MTI team observed a new Crocodilus variant with several significant new features.\r\nA key feature update is the ability to modify the contact list on an infected device. Upon receiving the command\r\n“TRU9MMRHBCRO”, Crocodilus adds a specified contact to the victim’s contact list.\r\nhttps://www.threatfabric.com/blogs/crocodilus-mobile-malware-evolving-fast-going-global\r\nPage 2 of 4\n\nThis further increases the attacker’s control over the device. We believe the intent is to add a phone number under a\r\nconvincing name such as “Bank Support”, allowing the attacker to call the victim while appearing legitimate. This could\r\nalso bypass fraud prevention measures that flag unknown numbers.\r\nImproving the Quality of Stolen Data – Seed Phrase Collector\r\nJust like its predecessor, the new variant of Crocodilus pays a lot of attention to cryptocurrency wallet apps. This variant was\r\nequipped with an additional parser, helping to extract seed phrases and private keys of specific wallets.\r\nIt is based on the AccessibilityLogging feature, already present in first variants but further improved with pre-processing of\r\nthe logged data displayed on the screen, extracting data of specific format based on regular expressions. \r\nTargeted apps and regular expressions used to extract data\r\nIn our previous blog about Crocodilus we highlighted the interest of cybercriminals in cryptocurrency wallets as they were\r\nmaking victims open the wallet apps to further steal the data displayed on the screen. With additional parsing done on the\r\ndevice side, threat actors receive high-quality preprocessed data, ready to use in fraudulent operations like Account\r\nTakeover, targeting cryptocurrency assets of victims.\r\nConclusion\r\nThe latest campaigns involving the Crocodilus Android banking Trojan signal a concerning evolution in both the malware's\r\ntechnical sophistication and its operational scope. With newly added features, Crocodilus is now more adept at harvesting\r\nsensitive information and evading detection. Notably, its campaigns are no longer regionally confined; the malware has\r\nextended its reach to new geographical areas, underscoring its transition into a truly global threat.\r\nThis shift not only broadens the potential impact but also suggests a more organised and adaptive threat actor behind its\r\ndeployment. As Crocodilus continues to evolve, organisations and users alike must stay vigilant and adopt proactive security\r\nmeasures to mitigate the risks posed by this increasingly sophisticated malware.\r\nAppendix\r\nIoCs\r\nApp\r\nname\r\nPackage name SHA256 Hash C2\r\nhttps://www.threatfabric.com/blogs/crocodilus-mobile-malware-evolving-fast-going-global\r\nPage 3 of 4\n\nIKO nuttiness.pamperer.cosmetics 6d55d90d021b0980528f56d040e78fa7b85a96f5c244e23f330f24c8e80c1cb2 rentvillcr[\r\nETH\r\nMining\r\napp\r\napron.confusing fb046b7d0e385ba7ad15b766086cd48b4b099e612d8dd0a460da2385dd31e09e rentvillcr[\r\nSource: https://www.threatfabric.com/blogs/crocodilus-mobile-malware-evolving-fast-going-global\r\nhttps://www.threatfabric.com/blogs/crocodilus-mobile-malware-evolving-fast-going-global\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.threatfabric.com/blogs/crocodilus-mobile-malware-evolving-fast-going-global"
	],
	"report_names": [
		"crocodilus-mobile-malware-evolving-fast-going-global"
	],
	"threat_actors": [],
	"ts_created_at": 1775434892,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d45deff273c4dd0490494ce159d72c001f12674f.pdf",
		"text": "https://archive.orkl.eu/d45deff273c4dd0490494ce159d72c001f12674f.txt",
		"img": "https://archive.orkl.eu/d45deff273c4dd0490494ce159d72c001f12674f.jpg"
	}
}