Crocodilus Android Malware Emerges as Top-Tier Threat to Banking and Crypto Apps

Threat Group: Potentially linked to "sybra"
Threat Type: Android Banking Trojan
Exploited Vulnerabilities: Abuse of Android Accessibility Services, Android 13+ "Restricted Settings" bypass
Malware Used: Crocodilus (variant: Pragma)
Threat Score: 🔥 Critical (9.1/10) – Due to advanced obfuscation, bypass of Android protections, cryptocurrency seed collection, and global targeting capabilities.
Last Threat Observation: June 4, 2025

Overview

Crocodilus is a newly identified, highly sophisticated Android banking Trojan first discovered in March 2025. Unlike most emerging threats that start with basic functionality, Crocodilus entered the threat landscape with a full suite of advanced capabilities. From inception, it demonstrated robust remote access features, stealthy black screen overlays, and advanced accessibility logging for data theft. Its high maturity at launch suggests development by a skilled, well-funded threat group.

In the three months since its discovery, Crocodilus has rapidly evolved, adding new features such as the ability to modify a device's contact list (to facilitate vishing attacks) and an automated, pre-processing seed phrase collector tailored for cryptocurrency wallets. These updates indicate an active and responsive development team capable of adapting the malware to bypass evolving security measures.

Initial targeting efforts focused on users in Spain and Turkey, particularly those using mobile banking and cryptocurrency apps. However, the malware has since expanded operations to Poland, Argentina, Brazil, Indonesia, India, and the United States. This global expansion, including targeted advertising (e.g., Facebook ads tailored for Polish users), indicates a sophisticated and agile actor capable of rapid geographic and strategic scaling. Global organizations must now treat this as a borderless threat and respond with adaptive, real-time intelligence.

Key Details

Delivery Method

Crocodilus is distributed through malicious apps that impersonate trusted applications like Google Chrome (package: quizzical.washbowl.calamity), mobile banking apps, shopping tools, and online casinos. These apps are commonly delivered through deceptive Facebook advertisements or malicious SMS messages that redirect to spoofed download pages.

A critical aspect of Crocodilus's success is its use of custom droppers, sometimes marketed as "SecuriDropper," capable of bypassing Android 13's "Restricted Settings" protections. These droppers simulate session-based installations typical of legitimate app marketplaces, allowing the malware to request Accessibility and Notification Listener permissions without triggering warnings.

Target

The malware primarily targets users of financial and cryptocurrency apps, leveraging Android Accessibility Services to gain full visibility and control over user interactions.

Functions

• Overlay Attacks: Uses HTML overlays served from C2 servers to mimic legitimate banking/crypto app screens.
• Accessibility Logging: Captures UI elements, keystrokes, OTPs, and seed phrases using accessibility hooks.
• Remote Access Trojan (RAT): Executes commands, simulates UI interactions, retrieves contacts, installs new apps, sends SMS, and manages calls.
• Black Screen Overlay: Blocks screen visibility during malicious operations.
• Sound Muting: Prevents audio alerts that could tip off victims.
• New Capabilities (June 2025):
  • Adds contacts to the user’s phone to support vishing operations.
  • Enhanced crypto wallet seed collection and parser modules.

Obfuscation

Crocodilus employs XOR encryption, code packing, and native code loading via AES-decrypted payloads from .png files in the asset folder. Each sample uses unique keys, complicating static analysis and signature-based detection. The Pragma variant demonstrates modularity and campaign-specific builds.

Attack Vectors

1. Initial Infection: Victim downloads the disguised dropper app promoted via malicious ads or social engineering.
2. Permission Escalation: Dropper requests Accessibility permissions, which are granted without triggering Android 13+ warnings.
3. C2 Communication: Encrypted connections (AES-256-CBC over HTTPS) retrieve overlays, app targets, and commands. Bulletproof hosting and TLS reuse across malware families noted.
4. Credential Harvesting: Phishing overlays mimic app UIs and collect credentials, OTPs, and seed phrases. One notable tactic includes fake warnings prompting wallet backups to trick users into exposing keys.
5. Data Exfiltration: Uses embedded regex parsing to filter high-value credentials locally before exfiltration to C2 servers.

Known Indicators of Compromise (IoCs)

FileHash-MD5

• f6f589d1a0a189aded4d008b671be0db

FileHash-SHA1

• f425a592df7fe61a03673a48fda56e55f9d6165c

FileHash-SHA256

• 6d55d90d021b0980528f56d040e78fa7b85a96f5c244e23f330f24c8e80c1cb2
• fb046b7d0e385ba7ad15b766086cd48b4b099e612d8dd0a460da2385dd31e09e

Domain

• rentvillcr[.]homes
• rentvillcr[.]online

Mitigation and Prevention

• User Awareness: Educate about the dangers of sideloaded apps and excessive permissions.
• Email and Ad Filtering: Block social engineering attempts via phishing emails and malicious ad traffic.
• Mobile AV & MDM: Use behavioral-based antivirus and Mobile Device Management to detect privilege abuse.
• Two-Factor Authentication: Prefer hardware 2FA over OTP apps which can be compromised via accessibility logging.
• Log Monitoring: Detect abnormal app launches, overlays, AccessibilityService usage, and network traffic to C2 domains.
• Regular Updates: Ensure OS and Google Play Protect are current. Apply all available security patches.

Additional Measures:

• Enforce app restrictions via MDM.
• Disable "Install Unknown Apps".
• Use hardware wallets for crypto.
• Employ multi-sig wallets for redundancy.
• Monitor SIEM and EDR platforms with ThreatFabric/Anomali feeds.
• Use TLS inspection and certificate pinning to block Crocodilus C2.

Risk Assessment

Crocodilus is a top-tier mobile threat with a modular and adaptive architecture. Its ability to bypass Android 13+ security, steal cryptocurrency wallet data, impersonate legitimate apps, and support vishing makes it extremely dangerous. The global nature of its distribution campaigns and sophistication of its command infrastructure suggest a well-organized actor with strong funding and technical skill. The malware's focus on irreversible assets like crypto heightens its impact and demands immediate defensive action.

Conclusion

Crocodilus is redefining the threat landscape for Android-based financial fraud. It merges social engineering, RAT control, credential theft, obfuscation, and crypto-focused features into a seamless, stealthy toolkit. The speed of its evolution and global spread demonstrates the urgent need for organizations and individuals to enhance mobile security hygiene, adopt layered defenses, and respond to dynamic threat intelligence.

Sources:

• Cyble - "TsarBot Trojan Hits 750+ Banking & Crypto Apps!"
• The Hacker News - "New Android Trojan Crocodilus Abuses Accessibility to Steal Banking and Crypto Credentials"
• BleepingComputer - "New Crocodilus malware steals Android users’ crypto wallet keys"
• OTX AlienVault - Indicators of Compromise (IoCs)