Crocodilus Banking Trojan Targeting Banks in Spain and Turkey

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.
Summary
Crocodilus is a newly discovered and highly capable mobile banking Trojan, identified by ThreatFabric, that emerges as a sophisticated threat rather than a mere clone of existing malware. Building on the success of well-established banking Trojans like Anatsa, Octo, and Hook, Crocodilus employs advanced techniques such as remote control, black screen overlays, and accessibility logging to steal credentials.
Its discovery highlights the evolving mobile threat landscape, where cybercriminals continually refine tactics to evade detection and maximize financial gain. With core capabilities including overlay attacks, keylogging, and hidden remote control, Crocodilus represents a significant new player in the underground market for banking malware.
Technical Details
Crocodilus operates as a sophisticated Device Takeover banking Trojan, leveraging a proprietary dropper to bypass Android 13+ restrictions for installation. Once active, it abuses Accessibility Services to gain full control over the device, connecting to a Command and Control (C&C) server to receive instructions, including targeted applications and credential-stealing overlays. It continuously monitors app activity, displaying fake login screens to intercept user credentials. Initially, its campaigns have been observed targeting banking customers in Spain and Turkey, as well as cryptocurrency wallets, but its reach is expected to expand globally.

Beyond overlay attacks, Crocodilus employs an advanced Accessibility Logger to capture all onscreen elements, functioning as an enhanced keylogger. It can extract OTP codes from the Google Authenticator app using the RAT command “TG32XAZADG,” ensuring real-time credential theft. The malware also enables hidden remote access, covering fraudulent activities with a black screen overlay and muting device audio to evade detection. With stolen PII and credentials, threat actors can take complete control of a victim’s device, facilitating undetected fraudulent transactions.
A key aspect of Crocodilus' overlays targeting cryptocurrency wallets is a deceptive message that appears after a victim enters their password or PIN. The overlay warns, “Back up your wallet key in the settings within 12 hours. Otherwise, the app will reset, and you may lose access to your wallet.”

This social engineering tactic manipulates victims into accessing their seed phrase (wallet key), enabling Crocodilus to capture the displayed text using its Accessibility Logger. With this critical information, attackers can gain full control over the wallet and drain its funds entirely.
Recommendations
Download and install software only from official app stores like Google Play Store or the iOS App Store.
Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
Use strong passwords and enforce multi-factor authentication wherever possible.
Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device, where possible.
Be wary of opening any links received via SMS or emails delivered to your phone.
Ensure that Google Play Protect is enabled on Android devices.
Be careful while enabling any permissions.
Keep your devices, operating systems, and applications updated.
Conclusion
The emergence of the Crocodilus mobile banking Trojan represents a significant advancement in the sophistication and threat level of modern malware. With powerful DeviceTakeover capabilities, remote control functions, and black overlay attacks integrated from its earliest versions, Crocodilus exhibits a level of refinement rarely seen in newly identified threats.
Already targeting banks in Spain, Turkey, and major cryptocurrency wallets, Crocodilus is clearly designed to exploit high-value financial assets. Its rise underscores the limitations of traditional signature-based detection, particularly in the early stages of distribution. To mitigate such evolving threats, financial institutions must implement a layered security strategy, incorporating comprehensive device and behavior-based risk analysis to protect their customers.





