Bombardino Crocodilo in Poland — analysis of IKO Lokaty
mobile malware campaign
By mvaks
Published: 2025-05-30 · Archived: 2026-04-06 01:25:28 UTC
8 min read
May 28, 2025
Following the recent campaign involving the NGate malware (my analysis is available here → link),
cybercriminals have once again exploited the branding of well-known banks to distribute malicious software
targeting Android devices. This time, the attack vector shifted to malicious advertisements on social media
platforms. These ads falsely promoted a new banking program allegedly offering attractive deposit options.
Press enter or click to view image in full size
Facebook ads impersonating a Polish banking application
The malware belongs to the Crocodilus family, which was first analyzed by ThreatFabric researchers in late
March this year. At that time, it was primarily deployed in campaigns targeting financial institutions in Spain and
Turkey. Crocodilus is equipped with capabilities for device takeover, remote access, and overlay attacks,
making it a potent threat in mobile cybercrime operations.
Press enter or click to view image in full size
https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3
Page 1 of 15

Let’s move on to the high-level behavioral analysis:
https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3
Page 2 of 15

The legitimate banking app and the fake app used in the campaign.
Upon launch, the fake banking app prompts the user to allow the installation of additional applications,
disguising the process as a required Play Store update. In reality, the update installs a secondary malicious
application named “IKO Lokata”, delivered as a hidden .apk file.
Press enter or click to view image in full size
https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3
Page 3 of 15

https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3
Page 4 of 15

Once permissions are granted and the IKO Lokata app is installed, it immediately requests access to Accessibility
Services — a critical step that enables the malware to gain full control over the device. Additionally, it asks for
permissions to access contacts and send notifications, expanding its ability to harvest data and interact with the
user environment.
To further deceive the user, the malware mimics yet another system update — this time posing as an update for
Google Chrome — as a way to legitimize its escalating permission requests and avoid suspicion.
Press enter or click to view image in full size
https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3
Page 5 of 15

After the initial setup, the malicious app prompts the user to enter their PIN to supposedly log into the
application. Upon entering the PIN for the first time, the app displays a generic error message, claiming the PIN
is incorrect.
However, during analysis, it was observed that on the second attempt, the app presents a message stating that the
“IKO Lokata” service has been successfully activated. It further informs the user that the bank requires up to
48 hours to verify the provided information and complete the app configuration.
Press enter or click to view image in full size
This delay tactic is a classic social engineering method, aimed at:
https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3
Page 6 of 15

Creating a false sense of legitimacy,
Preventing the victim from becoming suspicious immediately,
Buying time for the attacker to use the stolen credentials or access the compromised device remotely.
This behavior suggests the malware is designed not only to harvest credentials, but also to maintain persistence
while minimizing the chances of early detection.
Let’s dive deeper
The following section focuses on the technical analysis of the app.
A closer look at the app’s AndroidManifest.xml file reveals the presence of the
android.permission.REQUEST_INSTALL_PACKAGES permission. This permission allows the app to install
additional APKs programmatically, and is a strong indicator that the application is functioning as a dropper —
a component designed to deploy further stages of malware on the device.
Further analysis of the code reveals references to an external .dex file, suggesting the use of dynamic code
loading, a common obfuscation and evasion technique.
Additionally, several class declarations found in the manifest do not exist in the static contents of the original APK
package. This discrepancy implies that some components of the app are either:
Loaded dynamically at runtime,
Fetched from a remote source after installation,
Or unpacked from encrypted assets bundled with the app.
These behaviors strongly indicate that the app is deliberately structured to hide malicious logic until execution,
which is a hallmark of more advanced Android malware strains.
Press enter or click to view image in full size
https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3
Page 7 of 15

After installing and launching the app in an emulator, we observed that within the code_cache directory associated
with the application, a file named ablemocker.vdex appears.
The presence of a .vdex file suggests that the application makes use of pre-verified and possibly optimized
bytecode, typically generated by the Android Runtime during the installation process. VDEX files are often used
to speed up app loading times by storing verified DEX instructions, but in the context of malware, they can also
serve to obfuscate code and hinder static analysis.
Unlike regular .dex files, .vdex files may contain compressed or optimized code, and tools for their direct analysis
are limited or require additional unpacking and conversion steps. This significantly increases the complexity of
reverse engineering, and is likely an intentional measure by the attackers to delay detection and hinder malware
research.
Get mvaks’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
Upon launching the application, one can observe outgoing network traffic to a Telegram channel, suggesting that
the malware uses Telegram as part of its command-and-control (C2) infrastructure.
hxxps://api.telegram.org/bot8055029511:AAH3AF978hUKj7X2J7C-Z4tuOhMD9EIFa-o/sendMessage?chat_id=754798
Further analysis shows that the code responsible for establishing the connection is present in the decrypted .dex
file. After decoding and examining the DEX content, hardcoded references to the Telegram Bot API, channel
identifiers can be found.
https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3
Page 8 of 15

Press enter or click to view image in full size
Static analysis of the DEX file also reveals an interesting method used to deliver the login screen. Instead of a
native interface, the login screen is actually an HTML page presented to the user, which the authors have hidden
in the code by encoding it in base64.
Press enter or click to view image in full size
Press enter or click to view image in full size
Press enter or click to view image in full size
https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3
Page 9 of 15

References to the dropped application, specifically iSZMv.apk, can also be observed within the code.
Here, for the first time, we encounter code snippets written in Turkish. This observation supports the findings of
ThreatFabric researchers, who concluded that the malware is most likely developed in Turkey. Within the
application, we can also find phrases or code segments such as:
https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3
Page 10 of 15

Press enter or click to view image in full size
Press enter or click to view image in full size
Second stage analysis
In the case of the second application, the same operational model is employed. Within the dropped .apk file, we
can find a .dex file named jasminenacho.dex, which, as shown in the screenshot below, again appears in the form
of a .vdex file.
Within the .dex file, we can see the origin of the malware’s name — Crocodile. The name is derived from a code
snippet containing the phrase CROCODILE BOT 2025. Additionally, there are greetings to the well-known
malware researcher Lukáš Štefanko embedded within the code.
Press enter or click to view image in full size
https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3
Page 11 of 15

It can also be observed that the application was designed to support multiple language versions.
Press enter or click to view image in full size
https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3
Page 12 of 15

The application offers a wide range of functionalities, one of which is the ability to detect whether it is running in
an emulated environment.
Press enter or click to view image in full size
The malware includes automatic call initiation, potentially allowing attackers to place phone calls without user
interaction.
Press enter or click to view image in full size
The malware communicates with a command-and-control (C2) server, the address of which is embedded within
the .dex file.
Press enter or click to view image in full size
Example of communication with the C2 server:
Press enter or click to view image in full size
https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3
Page 13 of 15

To understand and subsequently decrypt the communication, it is necessary to examine the encryption function.
The function takes arguments from two variables, carFileDoesnt and miniature, both of which are visible in the
network communication screenshot. It then performs a series of transformations:
Decodes base64,
Reverses the byte order,
Performs another round of base64 decoding,
Followed by a final base64 decode, which is then used as the key or input for AES decryption.
A Python script was written to replicate these steps, resulting in the decrypted output. Some fields within the
output have been intentionally or redacted by me :-).
{"action":"hidden:)",
"deviceID":"{hidden:)}",
"C01039058573":"hidden:)",
"localeCode":"us",
"phoneTag":"ik-X",
"phoneBuild":"13",
"phoneModel":"Genymobile Google Pixel",
"phoneCarrier":"Android",
"OK2OXS1901Z9C":100,
https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3
Page 14 of 15

"screenModes":1,
"TRCR1939OCFX92":"hidden:)",
"D7W8S5X9X6X3X5z":"1",
"PA0LAMD0RAR9S":"http:\/\/rentvillcr.homes",
"CZK98TRUMS9P":1,
"ER9PERM291Z":1,
"S9F7563214582B":"0",
"KL87TRKLX21":"0"}
Summary
Described mobile malware campaign leverages fake banking applications distributed via malicious social media
ads, continuing the abuse of legitimate bank brands. The malware, identified as part of the Crocodilus family,
includes advanced capabilities such as device takeover, overlay attacks, and emulator detection. It uses
obfuscation techniques like base64-encoded HTML for login overlays and .vdex -wrapped .dex files to hinder
analysis. The malware communicates with a traditional command-and-control (C2) server, with the address
embedded directly in the DEX file and traffic encrypted using layered base64 and AES. Static artifacts, such as
Turkish language strings and embedded developer messages, suggest the malware originates from Turkey,
aligning with previous findings by ThreatFabric.
IOCs:
IKO Lokata purge.tremble 689579531a417b84ddbceb17c75d3c39
IKO Lokata unrelated.hamburger e7551da0d6e05cce11d4bf3ae016bb15
C2:
hxxps://api.telegram.org/bot8055029511:AAH3AF978hUKj7X2J7C-Z4tuOhMD9EIFa-o/sendMessage?chat_id=754798
hxxp://rentvillcr.homes
Source: https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3
https://medium.com/@mvaks/bombardino-crocodilo-in-poland-analysis-of-iko-lokaty-mobile-malware-campaign-502bd74947f3
Page 15 of 15