Cybersecurity researchers have uncovered a dangerous new threat targeting Android users—Crocodilus. An advanced banking malware that’s rapidly making its mark across Spain and Turkey. Far from a recycled clone, Crocodilus appears to be a sophisticated malware strain built from scratch. Armed with modern capabilities for remote control, data theft, and deception.
First analyzed by mobile security experts at ThreatFabric, Crocodilus poses a serious risk. It masquerades as a fake Google Chrome app using the disguised package name “quizzical.washbowl.calamity” and functions as a dropper that sidesteps Android 13+ restrictions. Once installed, it immediately requests access to Android’s Accessibility Services—an increasingly common but dangerous entry point for cybercriminals.
Once the user grants permission, the malware connects to a remote command server. From there, it pulls down instructions, a list of financial apps to target. And malicious HTML overlays used to steal banking credentials. What sets Crocodilus apart is the use of black screen overlays, remote access features. And detailed data harvesting techniques that go far beyond traditional banking trojans.
The malware is capable of intercepting cryptocurrency wallets as well. Instead of using fake login pages, it deploys an alarming tactic: it prompts users to “urgently backup” their seed phrases within 12 hours, warning they could lose access otherwise. This clever social engineering trick leads users directly to their private keys, which the malware then harvests using Accessibility Service abuse—allowing attackers to drain wallets entirely.
Crocodilus monitors everything happening on the screen. It logs all accessibility events, tracks app launches, and even records screen activity, including sensitive apps like Google Authenticator. This constant surveillance allows threat actors to capture credentials in real-time and take full control of compromised devices.
ThreatFabric’s report details several high-risk capabilities already embedded in the malware:
- Launching specific apps remotely
- Self-deleting to avoid detection
- Sending SMS messages to selected or all contacts
- Retrieving contact lists and installed app data
- Reading received text messages
- Requesting device administrator privileges
- Displaying black screen overlays to mask malicious actions
- Controlling sound and keylogging behavior
- Setting itself as the default SMS manager
- Updating its command-and-control (C2) server remotely
These features give Crocodilus near-total control over infected devices, making it one of the most advanced Android banking malware strains seen in early-stage deployment. The attackers even mute device sounds and display black overlays during sensitive operations to ensure users remain unaware.
ThreatFabric researchers suggest the malware author is likely Turkish-speaking, based on an in-depth analysis of debug messages and the original source code. Its geographical targeting—mainly users in Turkey and Spain—aligns with previous campaigns launched by threat actors in that region.
The emergence of Crocodilus comes at a time when Android banking malware continues to evolve at a rapid pace. Modern threats no longer rely solely on fake banking interfaces or login forms—they now exploit advanced Android permissions and trick users into handing over control through increasingly convincing prompts.
This discovery follows a parallel disclosure by Forcepoint, which has detected a new phishing campaign distributing the Grandoreiro banking trojan. This campaign uses tax-themed lures to target Windows users in Spain, Argentina, and Mexico, spreading the malware through a heavily obfuscated Visual Basic script.
The simultaneous rise of these two banking trojans underscores the growing risk posed by financially motivated cybercrime targeting both mobile and desktop users. Crocodilus, in particular, represents a leap forward in Android malware sophistication—with its black screen deception, screen scraping, and remote takeover abilities built in from the start.
As always, users should avoid sideloading apps from unknown sources, be cautious of apps requesting accessibility access, and keep their devices updated with the latest Android security patches. Cybersecurity teams must remain vigilant as new strains like Crocodilus continue to exploit overlooked vulnerabilities with increasingly complex tactics.
