Pragmatic Crocodilus: A New Variant In the Horizon

Executive Summary

Following ThreatFabric’s publication on Crocodilus, a sophisticated Android banking trojan, our zLabs team conducted a deeper investigation into its broader ecosystem. The research led to the discovery of 17 previously unreported Dropper Trojans and 21 new Banker samples matching the behaviors described in the original report. Beyond that, 6 new C&C servers have been found and, perhaps most importantly, discovered a previously undocumented variant of the malware that employs native code for payload loading and execution.

Background: The Crocodilus Malware

This malware is designed for device takeover, enabling attackers to perform fraudulent activities without the user's knowledge. 

The Key features of the malware are:

• Advanced Device Takeover: Crocodilus employs techniques such as overlay attacks, keylogging, and remote access to gain control over infected devices.
• Accessibility Abuse: Upon installation, it requests Accessibility Service permissions, allowing it to monitor app launches and display deceptive overlays to capture user credentials.
• Stealth Operations: The malware can operate in a "hidden" mode by displaying a black screen overlay and muting device sounds, ensuring its activities remain undetected.​
• OTP Harvesting: It can capture One-Time Passwords (OTPs) by logging accessibility events, including those from apps like Google Authenticator.

The original Crocodilus campaign relies on Accessibility Services and dynamic overlays to hijack user input and interact with banking apps invisibly. This foundation matches what we observed in the Banker samples extracted from newly found droppers. These samples operate in the same way: the dropper installs the hidden payload APK at runtime and escalates privileges through Accessibility abuse. The malware then executes banking fraud and credential harvesting using overlays and keylogging, all consistent with the known behaviors of Crocodilus.

Discovery of a Native Code Variant: Pragma

While analyzing the Banker APKs, 4 attracted attention for their use of native libraries, a clear deviation from the rest of the payloads and from the previous campaign. Each of these four samples includes a custom-written native library that loads a file from the assets folder. This file is hidden with a .png extension but is in fact encrypted data. At runtime, the native code decrypts this file and loads the resulting DEX into memory to execute malicious routines.

During the analysis the encrypted key (AES) has been found embedded in the native libraries. These keys differ across samples, suggesting that the threat actor may be generating unique builds for different campaigns or distribution vectors. Within the native code, a repeated string has been found, Pragma Project, which might indicate an internal codename or simply a label for this variant family. Regardless, the use of native code to decrypt and dynamically load DEX files marks a significant evolution in obfuscation and stealth.

The IOCs for this campaign can be found in this repository.