MalwareUsed by 1 actor

Crocodilus

Crocodilus is an Android banking trojan discovered by ThreatFabric. It is described as a highly capable mobile banking malware family that follows a modern device-takeover model and uses overlay attacks, accessibility-based logging/keylogging, remote access, and hidden remote-control features to steal banking and cryptocurrency-related data. The malware is initially installed via a proprietary dropper that can bypass Android 13+ restrictions, after which it abuses Android Accessibility Services and connects to a command-and-control server to receive target application lists, overlay configurations, and commands.

Observed capabilities include monitoring app launches, displaying credential-harvesting overlays over targeted applications, collecting SMS messages, sending SMS messages to specified numbers, lists of numbers, or all contacts, performing USSD requests, manipulating the victim’s contact list by adding contacts to support social-engineering attacks, and capturing screen content and visible UI elements through accessibility logging. ThreatFabric reported that Crocodilus can capture OTP data from Google Authenticator, including labels and values, and exfiltrate them to its C2. It can also hide attacker activity by displaying a black screen overlay and muting the device during fraudulent operations. The malware has been reported as capable of taking full control of infected phones to steal funds from banking and online accounts.

Crocodilus also targets cryptocurrency wallets. Reported tradecraft includes a social-engineering overlay that urges victims to back up their wallet key within 12 hours, guiding them to reveal seed phrases that are then harvested via accessibility logging. With stolen seed phrases, attackers can seize and drain wallets.

Distribution vectors mentioned in the content include malvertising campaigns, fake banking apps, fake browser updates, malicious ads, and phony applications. Early campaigns targeted banks in Spain and Turkey, and later reporting states the malware expanded globally, including activity in Poland, South America, parts of Asia, and broader worldwide targeting. ThreatFabric noted possible links to the mobile threat actor "sybra" based on early samples tagged "sybupdate," but stated this may indicate either a development link or a customer testing the malware. Source-code debug messages reportedly suggest Turkish-speaking developer(s).

High-confidence indicators mentioned in the content include SHA-256 c5e3edafdfda1ca0f0554802bbe32a8b09e8cc48161ed275b8fec6d74208171f and command-and-control domain register-buzzy[.]store.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

sybra

This environment has paved the way for the emergence of Crocodilus, a new and highly capable mobile banking Trojan discovered by ThreatFabric.

via threatfabricthreatfabric.com

MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique

T1648Serverless ExecutionEvidence1

"New Android Trojan Crocodilus Abuses Accessibility to Steal Banking and Crypto Credentials"

Persistence

1 technique

T1546.008Accessibility FeaturesEvidence1

Once installed, Crocodilus requests Accessibility Service to be enabled. Once granted, the malware connects to the command-and-control (C2) server to receive instructions... Another data theft feature of Crocodilus is a keylogger. However, it is more accurate to call it an Accessibility Logger – the malware monitors all Accessibility events and captures all the elements displayed on the screen.

Privilege Escalation

1 technique

T1546.008Accessibility FeaturesEvidence1

Stealth

2 techniques

T1036MasqueradingEvidence1

Crocodilus is also able to make any remote access “hidden” – displaying a black screen overlay on top of all the activities, effectively hiding the actions performed by the malware.

T1218System Binary Proxy ExecutionEvidence1

Initial installation is done via a proprietary dropper bypassing Android 13+ restrictions.

Credential Access

2 techniques

T1056Input CaptureEvidence1

It runs continuously, monitoring app launches and displaying overlays to intercept credentials.

T1056.001KeyloggingEvidence1

Another data theft feature of Crocodilus is a keylogger. However, it is more accurate to call it an Accessibility Logger... it effectively logs all text changes performed by a victim, making it a keylogger, but the capabilities go beyond just keylogging.

Collection

3 techniques

T1056Input CaptureEvidence1

It runs continuously, monitoring app launches and displaying overlays to intercept credentials.

T1056.001KeyloggingEvidence1

T1113Screen CaptureEvidence1

RAT command “TG32XAZADG” triggers a screen capture on the content of the Google Authenticator application... capture the text displayed (the name of the OTP code, as well as its value) and send these to the C2.

Command and Control

2 techniques

T1071Application Layer ProtocolEvidence1

Once granted, the malware connects to the command-and-control (C2) server to receive instructions, including the list of target applications and the overlays to be used.

T1219Remote Access ToolsEvidence1

With stolen PII and credentials, threat actors can take full control of a victim’s device using built-in remote access... Crocodilus is also able to make any remote access “hidden” – displaying a black screen overlay on top of all the activities.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app

the record mediaNews

Mar 19, 2026

New Android malware hiding in streaming apps to spy on users’ personal notes | The Record from Recorded Future News

Android malware that manipulates victims' contact lists to help attackers impersonate trusted entities such as banks.

the hacker newsNews

Feb 19, 2026

Fake IPTV Apps Spread Massiv Android Malware Targeting Mobile Banking Users

Referenced as an Android banking malware family that similarly abuses Android Accessibility services for banking fraud/credential theft techniques.

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Android banking malware abusing Accessibility services for credential theft and data harvesting; includes remote control and overlay/black-screen techniques; targets Spain and Turkey.

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Android banking trojan active across multiple countries; targets banks and cryptocurrency wallets; includes obfuscation and contact manipulation capabilities.

+7 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.