Skip to content

Hide Navigation Hide TOC

Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)

Crocodilus is an Android banking Trojan that was discovered in March 2025. Crocodilus targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India. Crocodilus has been customized based on the target location. For example, Crocodilus mimicked major Turkish and Spanish banks for users in Turkey and Spain, while users in Poland saw Facebook advertisements that promoted Crocodilus to claim bonus points.(Citation: ThreatFabric_Crocodilus_March2025)(Citation: ThreatFabric_Crocodilus_June2025)

Cluster A Galaxy A Cluster B Galaxy B Level
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware Input Injection - T1516 (d1f1337e-aea7-454c-86bd-482a98ffaf62) Attack Pattern 1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a) Attack Pattern 1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69) Attack Pattern 1
Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47) Attack Pattern Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware 1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6) Attack Pattern 1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3) Attack Pattern 1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern 1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware Uninstall Malicious Application - T1630.001 (0cdd66ad-26ac-4338-a764-4972a1e17ee3) Attack Pattern 1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware Download New Code at Runtime - T1407 (6c49d50f-494d-4150-b774-a655022d20a6) Attack Pattern 1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc) Attack Pattern 1
Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a) Attack Pattern Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware 1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e) Attack Pattern 1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware SMS Control - T1582 (b327a9c0-e709-495c-aa6e-00b042136e2b) Attack Pattern 1
Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware 1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 1
GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512) Attack Pattern Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware 1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc) Attack Pattern 1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern 1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware Software Packing - T1406.002 (51636761-2e35-44bf-9e56-e337adf97174) Attack Pattern 1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9) Attack Pattern 1
User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08) Attack Pattern Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware 1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b) Malware Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2) Attack Pattern 1
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad) Attack Pattern Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47) Attack Pattern 2
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673) Attack Pattern Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add) Attack Pattern 2
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d) Attack Pattern Uninstall Malicious Application - T1630.001 (0cdd66ad-26ac-4338-a764-4972a1e17ee3) Attack Pattern 2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 2
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad) Attack Pattern GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512) Attack Pattern 2
Abuse Elevation Control Mechanism - T1626 (08ea902d-ecb5-47ed-a453-2798057bb2d3) Attack Pattern Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc) Attack Pattern 2
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2
Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a) Attack Pattern Software Packing - T1406.002 (51636761-2e35-44bf-9e56-e337adf97174) Attack Pattern 2
Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9) Attack Pattern Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a) Attack Pattern 2
User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08) Attack Pattern Hide Artifacts - T1628 (fc53309d-ebd5-4573-9242-57024ebdad4f) Attack Pattern 2