Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S9004: Crocodilus

Crocodilus is an Android banking Trojan that was discovered in March 2025. Crocodilus targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India. Crocodilus has been customized based on the target location. For example, Crocodilus mimicked major Turkish and Spanish banks for users in Turkey and Spain, while users in Poland saw Facebook advertisements that promoted Crocodilus to claim bonus points.[1][2]

EnterpriseS9004MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Crocodilus matters because it is described by ATT&CK as an Android banking Trojan with global targeting and location-specific customization, including bank impersonation and promotional lures. For leaders, the practical issue is not just “mobile malware,” but whether the organization can see and respond when employee- or customer-facing Android devices are used to capture credentials, manipulate user input, control SMS/calls, and support financial theft workflows.

Executive priority

Treat Crocodilus as a mobile fraud and account-protection readiness driver. Ask whether high-risk Android use cases are governed by mobile device policy, whether fraud/identity teams can correlate mobile compromise indicators with suspicious banking or account activity, and whether incident response plans cover device takeover, SMS interception, accessibility abuse, and customer or workforce communications. This object is especially relevant to organizations with mobile banking, payments, customer identity, or bring-your-own-device exposure.

Technical view

ATT&CK lists Android as the supported platform and maps Crocodilus to mobile behaviors including obfuscation and software packing, runtime code download, keylogging, GUI input capture, software discovery, web-protocol C2, accessibility abuse, screen/video capture, input injection, SMS and call control, device administrator abuse, user evasion, prevention of removal, self-uninstall, contact/SMS collection, exfiltration over C2, masquerading, and financial theft. SOC and IR teams should validate Android telemetry around unusual permissions, accessibility-service enablement, device administrator status, SMS/call access, MediaProjection/screen capture prompts, app inventory discovery, network connections over HTTP/HTTPS, and signs of masqueraded banking or promotional applications.

Likely telemetry

  • Android application inventory and install source records
  • Mobile device management or endpoint mobility logs where available
  • Permission grants for accessibility services, SMS, contacts, phone, camera, screen capture, and device administrator functions
  • Android security, app reputation, or mobile threat defense alerts
  • Network telemetry for Android devices communicating over web protocols

Detection direction

  • Because ATT&CK provides no official detection text, start with coverage validation rather than assuming detections exist.
  • Prioritize behavioral analytics for combinations of risky Android permissions and behaviors: accessibility abuse plus input injection, SMS access plus financial account activity, or device administrator permission plus uninstall resistance.
  • Tune for masquerading and location-specific lures by comparing app names, icons, package metadata, install source, and claimed brand against approved mobile application baselines.
  • Look for runtime code download and packed or obfuscated applications as mobile analysis blind spots; static scanning alone may miss behavior that appears after installation.
  • Correlate mobile events with identity and fraud systems, especially where keylogging, GUI capture, SMS collection, or C2 exfiltration could explain account takeover activity.

Mitigation priorities

  • Establish or verify Android mobile security policy for high-risk users and regulated workflows, including approved app sources and minimum OS/security posture requirements.
  • Restrict or closely govern accessibility services, device administrator permissions, SMS/call permissions, contacts access, camera access, and screen capture capabilities where business needs allow.
  • Use mobile device management, mobile threat defense, or equivalent controls to inventory apps, flag risky permissions, and support rapid containment or removal decisions.
  • Harden identity and transaction controls so captured credentials or SMS messages are not sufficient for high-risk actions.
  • Prepare IR playbooks for suspected Android banking Trojan cases, including device isolation, credential reset, session revocation, fraud review, and user communication.
Analyst notes and limits

The most decision-useful context comes from the ATT&CK relationships: Crocodilus is not represented as a single behavior but as a bundle of Android collection, evasion, control, C2, and financial-theft-enabling techniques. The supplied description also notes geographic customization and impersonation themes, which should push defenders to review brand abuse, app distribution, and customer-awareness processes in addition to SOC alerting.

ATT&CK does not provide official detection guidance for this object, and the supplied object has no tactics specified despite many technique relationships. The relationships include mobile-attack techniques and one enterprise impact technique; local telemetry, mobile management coverage, and fraud/identity data are required to determine actual exposure or detection capability. This summary does not assert active exploitation in any specific environment.

Official MITRE ATT&CK definition

Crocodilus

Crocodilus is an Android banking Trojan that was discovered in March 2025. Crocodilus targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India. Crocodilus has been customized based on the target location. For example, Crocodilus mimicked major Turkish and Spanish banks for users in Turkey and Spain, while users in Poland saw Facebook advertisements that promoted Crocodilus to claim bonus points.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1657 Financial Theft

Crocodilus has stolen cryptocurrency wallet details from victim devices.CitationThreatFabric_Crocodilus_March2025CitationThreatFabric_Crocodilus_June2025
Relationship explorer

All related ATT&CK context

uses · Technique T1657: Financial Theft Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7c10d32b2faf55be...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7c10d32b2faf…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ThreatFabric_Crocodilus_March2025

    ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.

    Open source URL
  2. [2]
    ThreatFabric_Crocodilus_June2025

    ThreatFabric. (2025, June 3). Crocodilus Mobile Malware: Evolving Fast, Going Global. Retrieved November 24, 2025.

    Open source URL
  3. [3]
    mitre-attack S9004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use