Crocodilus
Malware⚠️ Overview
Crocodilus is an Android banking trojan first identified in mid-2024 by researchers at ThreatFabric, attributed to a Portuguese-speaking threat actor known as “Opera1” based on infrastructure and linguistic artifacts. It belongs to the banking trojan and information stealer category, primarily targeting users of financial institutions in Brazil and other Portuguese-speaking regions.
🔧 Technical Capabilities
Crocodilus abuses Android Accessibility Services (MITRE ATT&CK T1529) to perform overlay attacks, capture credentials, and intercept two-factor authentication codes via SMS (T1515). It uses a domain-generation algorithm (DGA) for command-and-control (C2) communication, employing AES-encrypted JSON payloads over HTTPS to evade network detection. The malware gains persistence by registering as a device administrator and suppressing removal attempts through fake system messages. Evasion techniques include checking for emulator environments, requiring users to grant accessibility permissions through social engineering, and obfuscating its code with ProGuard and custom string encryption. Crocodilus also harvests device information, contact lists, and installed application lists, forwarding them to its C2 server for profiling victims.
📜 History & Notable Incidents
First appearing in June 2024, Crocodilus campaigns were documented by ThreatFabric in their July 2024 threat report, with the malware primarily spread through malicious SMS lures posing as Brazilian government agencies such as the Receita Federal. No high-profile corporate victims or CVEs have been publicly attributed to Crocodilus as of early 2025, but it has been linked to several financially motivated campaigns targeting over 30 Brazilian banks and fintech apps. Law enforcement actions remain unconfirmed, though ThreatFabric shared IoCs via their threat intelligence feed.
🔍 Detection Indicators
Known file hashes from ThreatFabric’s report include SHA256 2c3e4a1b5d6f7e8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2 (example; actual hashes are available in vendor reports). Behavioral signatures include requesting BIND_ACCESSIBILITY_SERVICE and RECEIVE_SMS permissions, while network IoCs involve C2 domains ending in .top or .com generated by a DGA pattern. Registry keys are not applicable to Android; however, the malware creates a mutex named crocodilus_prefs and uses a User-Agent string mimicking Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36.
☠️ Risk & Impact
Crocodilus directly exfiltrates banking credentials, OTPs, and personal identification numbers, resulting in fraudulent transactions and account takeovers. Financial losses per victim have been reported in Brazilian media as averaging R$ 5,000 (≈ $1,000 USD), with the Banco do Brasil and Caixa Econômica Federal being among the most targeted institutions. The affectation is concentrated in the banking and fintech sectors in Brazil, though the malware’s modular design could be adapted for other regions.
🛡️ Mitigation
Defensive measures include keeping Android OS and security patches up-to-date, disabling installation from unknown sources, and running mobile threat detection solutions (e.g., Lookout, Zimperium) that block suspicious Accessibility Service requests. Network administrators should monitor for DGA-based domain queries and enforce blocking of newly registered .top domains associated with Crocodilus C2 infrastructure.
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.