{
	"id": "0d128e6a-ce11-4b7e-966b-954e9f055df4",
	"created_at": "2026-04-06T02:13:04.496079Z",
	"updated_at": "2026-04-10T03:20:45.407241Z",
	"deleted_at": null,
	"sha1_hash": "ef8280161d12eb94930d7ae8f5e70b8589bae91f",
	"title": "Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59652,
	"plain_text": "Exposing Crocodilus: New Device Takeover Malware Targeting Android\r\nDevices\r\nPublished: 2024-10-01 · Archived: 2026-04-06 01:30:29 UTC\r\nIntroduction\r\nThe mobile threat landscape has been shaped over the years by well-established banking Trojan families such as Anatsa,\r\nOcto, Hook, each evolving to introduce new techniques for evading detection and maximising financial gain. These malware\r\nstrains have demonstrated how effective mobile-focused threats can be, particularly when equipped with capabilities like\r\noverlay attacks, keylogging, and abuse of Android’s Accessibility Services. Their success has not only impacted banks and\r\ncrypto platforms globally, but also has inspired a growing underground market hungry for similar or improved tools.\r\nThis environment has paved the way for the emergence of Crocodilus, a new and highly capable mobile banking Trojan\r\ndiscovered by ThreatFabric.\r\nCrocodilus enters the scene not as a simple clone, but as a fully-fledged threat from the outset, equipped with modern\r\ntechniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging. This report\r\nexplores the features of Crocodilus, its links to known threat actors, and how it lures victims into helping the malware steal\r\ntheir own credentials.\r\nNew Name on Threat Landscape\r\nDuring regular threat hunting operations, our Intel analysts came across previously unseen samples. Analysis revealed a\r\ncompletely new malware family, which we named “Crocodilus” based on references left by the developers (who call it\r\n\"Crocodile\"). Despite being new, it already includes all the necessary features of modern banking malware: overlay attacks,\r\nkeylogging, remote access, and “hidden” remote control capabilities.\r\nThe Modus Operandi of Crocodilus is similar to what we expect from a modern Device Takeover banking Trojan. Initial\r\ninstallation is done via a proprietary dropper bypassing Android 13+ restrictions. Once installed, Crocodilus requests\r\nAccessibility Service to be enabled.\r\nOnce granted, the malware connects to the command-and-control (C2) server to receive instructions, including the list of\r\ntarget applications and the overlays to be used. It runs continuously, monitoring app launches and displaying overlays to\r\nintercept credentials.\r\nInitial campaigns observed by our Mobile Threat Intelligence team show targets primarily in Spain and Turkey, along with\r\nseveral cryptocurrency wallets. We expect this scope to broaden globally as the malware evolves.\r\nAnother data theft feature of Crocodilus is a keylogger. However, it is more accurate to call it an Accessibility Logger – the\r\nmalware monitors all Accessibility events and captures all the elements displayed on the screen. In this way, it effectively\r\nlogs all text changes performed by a victim, making it a keylogger, but the capabilities go beyond just keylogging.\r\nRAT command “TG32XAZADG” triggers a screen capture on the content of the Google Authenticator application, and this\r\ntoo is done using the aformentioned Accessibility Logging capabilities. Crocodilus will enumerate all the elements displayed\r\non the screen in Google Authenticator app, capture the text displayed (the name of the OTP code, as well as its value) and\r\nsend these to the C2, allowing timely theft of OTP codes for the operators of Crocodilus. Bot and RAT commands are listed\r\nin the Appendix.\r\nWith stolen PII and credentials, threat actors can take full control of a victim’s device using built-in remote access,\r\ncompleting fraudulent transactions without detection.\r\nhttps://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices\r\nPage 1 of 5\n\nCrocodilus is also able to make any remote access “hidden” – displaying a black screen overlay on top of all the activities,\r\neffectively hiding the actions performed by the malware. As a part of this “hidden” activity the malware also mutes the\r\nsound on the infected device to ensure fraudulent activities remain unnoticed by victim.\r\nOld Name Behind the Threat\r\nThe first Crocodilus samples discovered contain the tag “sybupdate”, which could be linked to a known threat actor in\r\nmobile threat landscape, “sybra”, that we already observed operating one of the Ermac forks, \"MetaDroid\", as well as using\r\nHook and Octo mobile malware. However, it is hard to link \"sybra\" with the developer of Crocodilus as they might also be a\r\n\"customer\", testing a potential new product entering the market of mobile banking Trojans.\r\nThe analysis of the malware source code also reveals debug messages left by the developer(s), based on which we conclude\r\nthat they are Turkish speaking.\r\nMaking Victims Do the Work\r\nThere is one notable detail about overlays targeting cryptocurrency wallets: once a victim provides a password/PIN from the\r\napplication, the overlay will display a message “Back up your wallet key in the settings within 12 hours. Otherwise, the app\r\nwill be reset, and you may lose access to your wallet.”:\r\nThis social engineering trick guides the victim to navigate to their seed phrase (wallet key), allowing Crocodilus to harvest\r\nthe text using its Accessibility Logger. With this information, attackers can seize full control of the wallet and drain it\r\ncompletely.\r\nConclusions\r\nThe emergence of the Crocodilus mobile banking Trojan marks a significant escalation in the sophistication and threat level\r\nposed by modern malware. With its advanced Device-Takeover capabilities, remote control features, and the deployment of\r\nblack overlay attacks from its earliest iterations, Crocodilus demonstrates a level of maturity uncommon in newly\r\ndiscovered threats. \r\nAlready observed targeting banks in Spain and Turkey and popular cryptocurrency wallets, Crocodilus is clearly engineered\r\nto go after high-value assets.\r\nThe rise of new threats like Crocodilus shows that basic, signature-based detection methods are no longer enough—\r\nespecially in the early stages when the malware first starts spreading. To stay protected, financial institutions should adopt a\r\nlayered security approach that includes thorough device and behaviour-based risk analysis on their customers’ devices.\r\nAppendix\r\nBot commands\r\nCommand Description\r\nTR039OQ1QXZXS Enable call forwarding\r\nDearTetherDest Perform USSD request\r\nMNKL9G0G9S1XZ Launch specified application\r\nhttps://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices\r\nPage 2 of 5\n\nGoodNightBro Self-remove from the device\r\nTEB9F0S29KWQ Post a push notification\r\nRT90SQ28X1Q Check for available overlays for installed applications\r\nKingOnlyDear Send SMS to specified number\r\nKingAllDear Send SMS to all contacts\r\nKingGetDears Get contact list\r\nKingGetTs Get installed applications list\r\nKingBoxSex Get SMS messages\r\nallAdmGet Request Device Admin privileges\r\nTBL03TSMLS Bulk send of SMS to specified numbers\r\nTR9S0XZ Enable black overlay\r\n||SettingsNew|| Update bot settings\r\n||UpdateTr0x910|| Update C2 settings\r\n||FreeApps|| No command, triggers check for created tasks to handle (including overlays download)\r\nchzModes Enable/disable sound\r\nmkLoper Lock screen\r\nCsxStx Enable/disable remote control session\r\nhttps://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices\r\nPage 3 of 5\n\nNwSrx Enable/disable keylogging\r\nmrSemploks Enable/disable self-protection against deletion\r\nonlineData List of enabled overlay targets\r\ninnaHotLive Enable/disable update of the target list\r\nSpinderSpike Make itself a default SMS manager\r\nRAT commands\r\nCommand Description\r\nInfinityGetTo Start front camera image streaming\r\nInfinityGetStop Stop front camera image streaming\r\n154856895422 Wake up device screen\r\nTR2XAQSWDEFRGT Enable/disable “hidden” RAT\r\nRightSlider Right swipe\r\nLeftSlider Left swipe\r\nBack_Action Perform “Back” action\r\nHome_Action Perform “Home” action\r\nMenu_Action Perform “Menu” action\r\n864512532655 Down swipe\r\n852147414735 Up swipe\r\nhttps://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices\r\nPage 4 of 5\n\n15485666L2 Lock device\r\nM55TRM321XA Mute phone and enable black overlay\r\nPCROC9F9PCROC Enable sound and remove overlay\r\nBL03902910AA Mute phone and enable black overlay\r\nBLD10192OQXX Enable sound and remove overlay\r\nclickScreen Perform click\r\ntrXSB123QEBASDF Perform complex gesture\r\nO6155FI2SXZ Modify text in focused area\r\nTCL9CLSKDLX12 Click a button\r\nmessagesLenght Write in focused area\r\nTG32XAZADG Capture screen content for Google Authenticator app\r\nIoCs\r\nApp\r\nname\r\nPackage name SHA256 Hash C2\r\nChrome quizzical.washbowl.calamity c5e3edafdfda1ca0f0554802bbe32a8b09e8cc48161ed275b8fec6d74208171f\r\nregister-buzzy[.]s\r\nSource: https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices\r\nhttps://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices\r\nPage 5 of 5\n\nhttps://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices   \nNwSrx Enable/disable keylogging  \nmrSemploks Enable/disable self-protection  against deletion\nonlineData List of enabled overlay targets \ninnaHotLive Enable/disable update of the target list\nSpinderSpike Make itself a default SMS manager \nRAT commands   \nCommand Description  \nInfinityGetTo Start front camera image streaming\nInfinityGetStop Stop front camera image streaming\n154856895422 Wake up device screen\nTR2XAQSWDEFRGT Enable/disable  “hidden” RAT\nRightSlider Right swipe \nLeftSlider Left swipe \nBack_Action Perform “Back” action\nHome_Action Perform “Home” action\nMenu_Action Perform “Menu” action\n864512532655 Down swipe \n852147414735 Up swipe  \n   Page 4 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices"
	],
	"report_names": [
		"exposing-crocodilus-new-device-takeover-malware-targeting-android-devices"
	],
	"threat_actors": [],
	"ts_created_at": 1775441584,
	"ts_updated_at": 1775791245,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef8280161d12eb94930d7ae8f5e70b8589bae91f.pdf",
		"text": "https://archive.orkl.eu/ef8280161d12eb94930d7ae8f5e70b8589bae91f.txt",
		"img": "https://archive.orkl.eu/ef8280161d12eb94930d7ae8f5e70b8589bae91f.jpg"
	}
}