{
	"id": "a980d708-2a68-4d9d-abd0-7be084900555",
	"created_at": "2026-04-06T01:32:01.859574Z",
	"updated_at": "2026-04-10T03:30:33.446342Z",
	"deleted_at": null,
	"sha1_hash": "ff65b0acfa1b95239740065d7685f6a7e7895f71",
	"title": "Bombardino Crocodilo in Poland — analysis of IKO Lokaty mobile malware campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3630372,
	"plain_text": "Bombardino Crocodilo in Poland — analysis of IKO Lokaty\r\nmobile malware campaign\r\nBy mvaks\r\nPublished: 2025-05-30 · Archived: 2026-04-06 01:25:28 UTC\r\n8 min read\r\nMay 28, 2025\r\nFollowing the recent campaign involving the NGate malware (my analysis is available here → link),\r\ncybercriminals have once again exploited the branding of well-known banks to distribute malicious software\r\ntargeting Android devices. This time, the attack vector shifted to malicious advertisements on social media\r\nplatforms. These ads falsely promoted a new banking program allegedly offering attractive deposit options.\r\nPress enter or click to view image in full size\r\nFacebook ads impersonating a Polish banking application\r\nThe malware belongs to the Crocodilus family, which was first analyzed by ThreatFabric researchers in late\r\nMarch this year. At that time, it was primarily deployed in campaigns targeting financial institutions in Spain and\r\nTurkey. Crocodilus is equipped with capabilities for device takeover, remote access, and overlay attacks,\r\nmaking it a potent threat in mobile cybercrime operations.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3\r\nPage 1 of 15\n\nLet’s move on to the high-level behavioral analysis:\r\nhttps://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3\r\nPage 2 of 15\n\nThe legitimate banking app and the fake app used in the campaign.\r\nUpon launch, the fake banking app prompts the user to allow the installation of additional applications,\r\ndisguising the process as a required Play Store update. In reality, the update installs a secondary malicious\r\napplication named “IKO Lokata”, delivered as a hidden .apk file.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3\r\nPage 3 of 15\n\nhttps://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3\r\nPage 4 of 15\n\nOnce permissions are granted and the IKO Lokata app is installed, it immediately requests access to Accessibility\r\nServices — a critical step that enables the malware to gain full control over the device. Additionally, it asks for\r\npermissions to access contacts and send notifications, expanding its ability to harvest data and interact with the\r\nuser environment.\r\nTo further deceive the user, the malware mimics yet another system update — this time posing as an update for\r\nGoogle Chrome — as a way to legitimize its escalating permission requests and avoid suspicion.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3\r\nPage 5 of 15\n\nAfter the initial setup, the malicious app prompts the user to enter their PIN to supposedly log into the\r\napplication. Upon entering the PIN for the first time, the app displays a generic error message, claiming the PIN\r\nis incorrect.\r\nHowever, during analysis, it was observed that on the second attempt, the app presents a message stating that the\r\n“IKO Lokata” service has been successfully activated. It further informs the user that the bank requires up to\r\n48 hours to verify the provided information and complete the app configuration.\r\nPress enter or click to view image in full size\r\nThis delay tactic is a classic social engineering method, aimed at:\r\nhttps://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3\r\nPage 6 of 15\n\nCreating a false sense of legitimacy,\r\nPreventing the victim from becoming suspicious immediately,\r\nBuying time for the attacker to use the stolen credentials or access the compromised device remotely.\r\nThis behavior suggests the malware is designed not only to harvest credentials, but also to maintain persistence\r\nwhile minimizing the chances of early detection.\r\nLet’s dive deeper\r\nThe following section focuses on the technical analysis of the app.\r\nA closer look at the app’s AndroidManifest.xml file reveals the presence of the\r\nandroid.permission.REQUEST_INSTALL_PACKAGES permission. This permission allows the app to install\r\nadditional APKs programmatically, and is a strong indicator that the application is functioning as a dropper —\r\na component designed to deploy further stages of malware on the device.\r\nFurther analysis of the code reveals references to an external .dex file, suggesting the use of dynamic code\r\nloading, a common obfuscation and evasion technique.\r\nAdditionally, several class declarations found in the manifest do not exist in the static contents of the original APK\r\npackage. This discrepancy implies that some components of the app are either:\r\nLoaded dynamically at runtime,\r\nFetched from a remote source after installation,\r\nOr unpacked from encrypted assets bundled with the app.\r\nThese behaviors strongly indicate that the app is deliberately structured to hide malicious logic until execution,\r\nwhich is a hallmark of more advanced Android malware strains.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3\r\nPage 7 of 15\n\nAfter installing and launching the app in an emulator, we observed that within the code_cache directory associated\r\nwith the application, a file named ablemocker.vdex appears.\r\nThe presence of a .vdex file suggests that the application makes use of pre-verified and possibly optimized\r\nbytecode, typically generated by the Android Runtime during the installation process. VDEX files are often used\r\nto speed up app loading times by storing verified DEX instructions, but in the context of malware, they can also\r\nserve to obfuscate code and hinder static analysis.\r\nUnlike regular .dex files, .vdex files may contain compressed or optimized code, and tools for their direct analysis\r\nare limited or require additional unpacking and conversion steps. This significantly increases the complexity of\r\nreverse engineering, and is likely an intentional measure by the attackers to delay detection and hinder malware\r\nresearch.\r\nGet mvaks’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nUpon launching the application, one can observe outgoing network traffic to a Telegram channel, suggesting that\r\nthe malware uses Telegram as part of its command-and-control (C2) infrastructure.\r\nhxxps://api.telegram.org/bot8055029511:AAH3AF978hUKj7X2J7C-Z4tuOhMD9EIFa-o/sendMessage?chat_id=754798\r\nFurther analysis shows that the code responsible for establishing the connection is present in the decrypted .dex\r\nfile. After decoding and examining the DEX content, hardcoded references to the Telegram Bot API, channel\r\nidentifiers can be found.\r\nhttps://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3\r\nPage 8 of 15\n\nPress enter or click to view image in full size\r\nStatic analysis of the DEX file also reveals an interesting method used to deliver the login screen. Instead of a\r\nnative interface, the login screen is actually an HTML page presented to the user, which the authors have hidden\r\nin the code by encoding it in base64.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3\r\nPage 9 of 15\n\nReferences to the dropped application, specifically iSZMv.apk, can also be observed within the code.\r\nHere, for the first time, we encounter code snippets written in Turkish. This observation supports the findings of\r\nThreatFabric researchers, who concluded that the malware is most likely developed in Turkey. Within the\r\napplication, we can also find phrases or code segments such as:\r\nhttps://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3\r\nPage 10 of 15\n\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nSecond stage analysis\r\nIn the case of the second application, the same operational model is employed. Within the dropped .apk file, we\r\ncan find a .dex file named jasminenacho.dex, which, as shown in the screenshot below, again appears in the form\r\nof a .vdex file.\r\nWithin the .dex file, we can see the origin of the malware’s name — Crocodile. The name is derived from a code\r\nsnippet containing the phrase CROCODILE BOT 2025. Additionally, there are greetings to the well-known\r\nmalware researcher Lukáš Štefanko embedded within the code.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3\r\nPage 11 of 15\n\nIt can also be observed that the application was designed to support multiple language versions.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3\r\nPage 12 of 15\n\nThe application offers a wide range of functionalities, one of which is the ability to detect whether it is running in\r\nan emulated environment.\r\nPress enter or click to view image in full size\r\nThe malware includes automatic call initiation, potentially allowing attackers to place phone calls without user\r\ninteraction.\r\nPress enter or click to view image in full size\r\nThe malware communicates with a command-and-control (C2) server, the address of which is embedded within\r\nthe .dex file.\r\nPress enter or click to view image in full size\r\nExample of communication with the C2 server:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3\r\nPage 13 of 15\n\nTo understand and subsequently decrypt the communication, it is necessary to examine the encryption function.\r\nThe function takes arguments from two variables, carFileDoesnt and miniature, both of which are visible in the\r\nnetwork communication screenshot. It then performs a series of transformations:\r\nDecodes base64,\r\nReverses the byte order,\r\nPerforms another round of base64 decoding,\r\nFollowed by a final base64 decode, which is then used as the key or input for AES decryption.\r\nA Python script was written to replicate these steps, resulting in the decrypted output. Some fields within the\r\noutput have been intentionally or redacted by me :-).\r\n{\"action\":\"hidden:)\",\r\n\"deviceID\":\"{hidden:)}\",\r\n\"C01039058573\":\"hidden:)\",\r\n\"localeCode\":\"us\",\r\n\"phoneTag\":\"ik-X\",\r\n\"phoneBuild\":\"13\",\r\n\"phoneModel\":\"Genymobile Google Pixel\",\r\n\"phoneCarrier\":\"Android\",\r\n\"OK2OXS1901Z9C\":100,\r\nhttps://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3\r\nPage 14 of 15\n\n\"screenModes\":1,\r\n\"TRCR1939OCFX92\":\"hidden:)\",\r\n\"D7W8S5X9X6X3X5z\":\"1\",\r\n\"PA0LAMD0RAR9S\":\"http:\\/\\/rentvillcr.homes\",\r\n\"CZK98TRUMS9P\":1,\r\n\"ER9PERM291Z\":1,\r\n\"S9F7563214582B\":\"0\",\r\n\"KL87TRKLX21\":\"0\"}\r\nSummary\r\nDescribed mobile malware campaign leverages fake banking applications distributed via malicious social media\r\nads, continuing the abuse of legitimate bank brands. The malware, identified as part of the Crocodilus family,\r\nincludes advanced capabilities such as device takeover, overlay attacks, and emulator detection. It uses\r\nobfuscation techniques like base64-encoded HTML for login overlays and .vdex -wrapped .dex files to hinder\r\nanalysis. The malware communicates with a traditional command-and-control (C2) server, with the address\r\nembedded directly in the DEX file and traffic encrypted using layered base64 and AES. Static artifacts, such as\r\nTurkish language strings and embedded developer messages, suggest the malware originates from Turkey,\r\naligning with previous findings by ThreatFabric.\r\nIOCs:\r\nIKO Lokata purge.tremble 689579531a417b84ddbceb17c75d3c39\r\nIKO Lokata unrelated.hamburger e7551da0d6e05cce11d4bf3ae016bb15\r\nC2:\r\nhxxps://api.telegram.org/bot8055029511:AAH3AF978hUKj7X2J7C-Z4tuOhMD9EIFa-o/sendMessage?chat_id=754798\r\nhxxp://rentvillcr.homes\r\nSource: https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3\r\nhttps://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3"
	],
	"report_names": [
		"bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439121,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff65b0acfa1b95239740065d7685f6a7e7895f71.pdf",
		"text": "https://archive.orkl.eu/ff65b0acfa1b95239740065d7685f6a7e7895f71.txt",
		"img": "https://archive.orkl.eu/ff65b0acfa1b95239740065d7685f6a7e7895f71.jpg"
	}
}