Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)

Crocodilus is an Android banking Trojan that was discovered in March 2025. Crocodilus targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India. Crocodilus has been customized based on the target location. For example, Crocodilus mimicked major Turkish and Spanish banks for users in Turkey and Spain, while users in Poland saw Facebook advertisements that promoted Crocodilus to claim bonus points.(Citation: ThreatFabric_Crocodilus_March2025)(Citation: ThreatFabric_Crocodilus_June2025)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3)	Attack Pattern	Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	Download New Code at Runtime - T1407 (6c49d50f-494d-4150-b774-a655022d20a6)	Attack Pattern	1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	1
Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a)	Attack Pattern	Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	1
Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e)	Attack Pattern	Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	1
SMS Control - T1582 (b327a9c0-e709-495c-aa6e-00b042136e2b)	Attack Pattern	Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	1
Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	1
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	1
GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	1
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	1
Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc)	Attack Pattern	Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	1
Software Packing - T1406.002 (51636761-2e35-44bf-9e56-e337adf97174)	Attack Pattern	Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	1
Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	1
User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08)	Attack Pattern	Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	1
Input Injection - T1516 (d1f1337e-aea7-454c-86bd-482a98ffaf62)	Attack Pattern	Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	1
Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a)	Attack Pattern	Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69)	Attack Pattern	1
Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	1
Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	1
Uninstall Malicious Application - T1630.001 (0cdd66ad-26ac-4338-a764-4972a1e17ee3)	Attack Pattern	Crocodilus - S9004 (eed7b988-0279-4c4f-bfa9-d81f5444a04b)	Malware	1
Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	2
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	2
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	2
Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc)	Attack Pattern	Abuse Elevation Control Mechanism - T1626 (08ea902d-ecb5-47ed-a453-2798057bb2d3)	Attack Pattern	2
Software Packing - T1406.002 (51636761-2e35-44bf-9e56-e337adf97174)	Attack Pattern	Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a)	Attack Pattern	2
Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	2
User Evasion - T1628.002 (24a77e53-0751-46fc-b207-99378fb35c08)	Attack Pattern	Hide Artifacts - T1628 (fc53309d-ebd5-4573-9242-57024ebdad4f)	Attack Pattern	2
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	2
Uninstall Malicious Application - T1630.001 (0cdd66ad-26ac-4338-a764-4972a1e17ee3)	Attack Pattern	Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d)	Attack Pattern	2