• Cyber Syrup
  • Posts
  • Crocodilus: A Sophisticated New Android Banking Trojan Targets Users in Spain and Turkey

Crocodilus: A Sophisticated New Android Banking Trojan Targets Users in Spain and Turkey

Cybersecurity researchers at ThreatFabric have identified a newly discovered Android banking malware named Crocodilus

March 31, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

The gold standard of business news

Morning Brew is transforming the way working professionals consume business news.

They skip the jargon and lengthy stories, and instead serve up the news impacting your life and career with a hint of wit and humor. This way, you’ll actually enjoy reading the news—and the information sticks.

Best part? Morning Brew’s newsletter is completely free. Sign up in just 10 seconds and if you realize that you prefer long, dense, and boring business news—you can always go back to it.

Crocodilus: A Sophisticated New Android Banking Trojan Targets Users in Spain and Turkey

Cybersecurity researchers at ThreatFabric have identified a newly discovered Android banking malware named Crocodilus, a powerful and sophisticated mobile threat targeting users primarily in Spain and Turkey. Unlike earlier, rudimentary banking trojans, Crocodilus enters the scene with a full arsenal of advanced features, showcasing a significant leap in mobile malware development.

What Is Crocodilus?

Crocodilus is a mobile banking trojan—a type of malware designed to steal financial data, hijack user devices, and facilitate fraudulent transactions. While many banking trojans evolve from simple clones, Crocodilus has arrived with a mature and dangerous feature set from the outset.

“Crocodilus enters the scene not as a simple clone, but as a fully-fledged threat from the outset,” said researchers at ThreatFabric.

The malware exhibits modern attack techniques, including:

  • Remote control of the infected device

  • Black screen overlays to obscure activity

  • Advanced data harvesting through Android’s accessibility services

Infection Vector: Disguised as Google Chrome

Crocodilus disguises itself as a legitimate app—masquerading as Google Chrome under the package name quizzical.washbowl.calamity. This fake app acts as a dropper, helping bypass Android 13+ security restrictions and gain unauthorized access to critical system features.

Once installed, the malware prompts users to grant accessibility service permissions, a common method used by modern trojans to intercept user input and automate malicious actions.

Upon receiving these permissions, Crocodilus connects to a command-and-control (C2) server, which:

  • Sends targeted lists of financial apps

  • Provides HTML overlays for stealing login credentials

  • Issues instructions for device takeover

Stealing from Banks and Cryptocurrency Wallets

Crocodilus is built to target both banking applications and cryptocurrency wallets. While traditional banking trojans use fake login overlays to steal credentials, Crocodilus adopts a unique social engineering tactic for crypto theft.

The Crypto Trap

Instead of showing a login form, the malware displays a fake alert urging users to back up their seed phrase within 12 hours or risk losing access. This warning is designed to:

  • Trick users into viewing their seed phrase

  • Capture the phrase through accessibility logging

  • Gain full control of crypto wallets and drain digital assets

Key Capabilities of Crocodilus

Crocodilus maintains a persistent presence on infected devices and leverages accessibility logging to monitor user activity. It can:

  • Detect app launches and display overlays in real-time

  • Capture sensitive on-screen data, including from Google Authenticator

  • Use a black screen overlay to hide malicious actions

  • Mute sounds to prevent user detection

Additional Features Include:

  • Launch specified applications

  • Self-remove from the device

  • Push fake notifications

  • Send SMS to selected or all contacts

  • Retrieve contact lists and SMS messages

  • Collect installed application data

  • Request Device Administrator privileges

  • Enable or disable sound and keylogging

  • Set itself as the default SMS manager

  • Update C2 server configurations remotely

“Crocodilus demonstrates a level of maturity uncommon in newly discovered threats,” said ThreatFabric. “It marks a significant escalation in the threat level posed by modern mobile malware.”

Broader Context: Mobile and Desktop Threat Landscape

The rise of Crocodilus aligns with an ongoing surge in banking trojans and social engineering-driven malware across both mobile and desktop platforms.

In a related development, cybersecurity firm Forcepoint recently reported a phishing campaign distributing the Grandoreiro banking trojan. This Windows-targeted malware uses tax-themed lures and obfuscated Visual Basic scripts to target users in Mexico, Argentina, and Spain.

Conclusion: What This Means for Users and Security Professionals

The discovery of Crocodilus highlights the increasing sophistication of Android malware and the growing cross-targeting of financial applications, both traditional and crypto-based. With full Device Takeover (DTO) capabilities and stealthy persistence mechanisms, Crocodilus poses a serious risk to users unaware of the dangers of granting accessibility permissions to unknown apps.

Security Recommendations:

  • Avoid downloading apps from unofficial sources

  • Carefully review permissions requested by apps

  • Use mobile security solutions to detect and block threats

  • Keep Android devices and apps updated with the latest patches