As scam detection features for calls and texts get more sophisticated, so too do the threats designed to evade such measures. Right now, Android users are being targeted with malware that can create fake contacts on your device, so calls and texts from threat actors appear under a trustworthy name rather than an unfamiliar number, making you more likely to fall for them.
How the Crocodilus malware works
The Crocodilus malware, first identified by fraud prevention firm Threat Fabric earlier this year, is a device takeover Trojan initially deployed to trick users into giving up crypto wallet seed phrases under the guise of needing to back up their keys. Once downloaded—such as via a malicious ad, smishing campaign, or third-party app—the malware was able to evade Play Protect on Android 13 (and later) and gain access to Accessibility Service, ultimately logging and harvesting typed account credentials. As a result, threat actors could gain control of and empty victims’ crypto wallets.
The latest iteration of the program has evolved to deploy a command that adds contacts to a device locally. If an attacker calls, they’ll appear in caller ID under a seemingly legitimate name, such as “Bank Support,” making targets more likely to answer and trust the contact. As Bleeping Computer reports, the fake contact isn’t connected to your Google account, so it’ll show up only on the compromised device, not any others you’ve logged into.
What Android users need to do
At first, Crocodilus campaigns were limited to a few countries, but the malware has now spread around the world, including to the U.S. To avoid infecting your Android device, stick to Google Play for downloading trusted apps and software, and keep Play Protect active to catch as many threats as possible.
Of course, you should also be vigilant for signs of social engineering tactics, which threat actors use to trick you into installing malware or providing sensitive personal information. These phishing campaigns and other cyber attacks exploit human psychology using tricks like impersonation of authority, and they usually play on emotions like fear or greed.
Never download attachments or click links in unsolicited emails or texts, navigate to websites directly instead. Call a company via their public contact number rather that trusting a number that calls you if you’re not sure about the legitimacy of a message. Don’t react to anything that seems urgent or provokes strong emotions. Also avoid clicking ads, downloading software, or following instructions from social media, which can also be vectors for malware.
