Analysis Of Crocodilus Android Banker Malware

The Crocodilus Android banker malware developers left a message in the logs after launching the malware, indicating a taunt or signature. This malware is designed to steal banking credentials and perform fraudulent transactions.

Key Analysis Links:

You Should Know:

Detecting Crocodilus on Android

To check for suspicious processes on an Android device, use:

adb shell ps | grep -i "crocodilus|banker|malicious"

Analyzing Malware Logs

Extract and inspect logs from an infected device:

adb logcat -d > device_logs.txt 
grep -i "crocodilus|banker|injection" device_logs.txt

Static Analysis with APKTool

Decompile the APK for inspection:

apktool d Crocodilus.apk -o output_dir

Dynamic Analysis with Frida

Hook into the malware’s runtime behavior:

Java.perform(() => { 
let targetClass = Java.use("com.crocodilus.banker.MainActivity"); 
targetClass.init.implementation = function() { 
console.log("[] Crocodilus initialization detected!"); 
this.init(); 
}; 
});

Network Traffic Inspection

Check for Command & Control (C2) communications:

tcpdump -i any -s 0 -w crocodilus_traffic.pcap

Analyze with Wireshark:

wireshark crocodilus_traffic.pcap

Remediation Steps

1. Revoke Suspicious Permissions:

adb shell pm revoke com.crocodilus.banker android.permission.INTERNET

2. Uninstall the Malware:

adb shell pm uninstall com.crocodilus.banker

3. Check for Persistence:

adb shell ls /system/app/ | grep -i "crocodilus"

What Undercode Say

Crocodilus demonstrates the increasing sophistication of Android banking malware. Key takeaways:
– Logs can contain attacker signatures (like the “hello” message).
– Dynamic analysis is critical to understand runtime behavior.
– Network monitoring helps detect C2 servers.

Expected Output:

[] Crocodilus initialization detected! 
[] C2 Server IP: 185.143.223.47 
[] Persistence found in /system/app/CrocodilusUpdates/

Prediction

Future versions may use AI-driven evasion or polymorphic code to bypass detection. Security researchers should focus on behavioral analysis rather than signature-based detection.

Expected Output:

Analysis complete. Malware neutralized. Monitor for new IOCs.

IT/Security Reporter URL:

Reported By: Lukasstefanko Crocodilus – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Listen to this Post

Key Analysis Links:

You Should Know:

Detecting Crocodilus on Android

Analyzing Malware Logs

Extract and inspect logs from an infected device:

Static Analysis with APKTool

Decompile the APK for inspection:

Dynamic Analysis with Frida

Hook into the malware’s runtime behavior:

Network Traffic Inspection

Check for Command & Control (C2) communications:

Analyze with Wireshark:

Remediation Steps

1. Revoke Suspicious Permissions:

2. Uninstall the Malware:

3. Check for Persistence:

What Undercode Say

Expected Output:

Prediction

Expected Output:

IT/Security Reporter URL:

Join Our Cyber World:

Related Posts: