Android users should be wary of new malware that turns contacts into phishing tools.

According to BleepingComputer, the malware in question is called Crocodilus, first discovered in March of this year by the cybersecurity company ThreatFabric (Netherlands). By cleverly inserting fake contacts into the phonebook, this malware turns the phone into a tool to deceive its owner.

Initially, Crocodilus targeted cryptocurrency users in Türkiye to steal assets from their digital wallets. However, its spread has rapidly expanded globally, currently attacking Android devices in the US, Spain, Argentina, Brazil, Indonesia, and India.

In a new report, Canadian security firm Field Effect stated that Crocodilus uses a custom "dropper" to bypass Android's default defense mechanisms.

Notably, it doesn't require access to Accessibility Services or any special user permissions to successfully infect. Crocodilus can even bypass Google Play Protect, a key security layer of the Android operating system.

The latest threat from Crocodilus is causing particular concern among security experts because it has the ability to add fake contacts to users' address books. This allows hackers to carry out extremely convincing impersonation attacks.

For example, you might receive a call that looks like it's from your bank, right after accessing a malicious website. In reality, it could be a sophisticated scam designed to steal your personal or financial information.

Here's what you need to know about Crocodilus, including how it works and what measures you can take to protect your device from this spreading malware.

When your contact list becomes an extension of a hacker's arm.

Despite its relatively recent appearance, Crocodilus has quickly become one of the most dangerous Android malware programs currently available, boasting a range of sophisticated attack features.

In addition to its ability to remotely control devices, steal data, and spoof financial app interfaces to trick users into entering login information, Crocodilus has recently been updated with a worrying feature: automatically adding fake contacts to the victim's phone.

Specifically, this malware can insert fake contacts under the names of reputable organizations such as banks, large companies, or even friends and relatives into your phone's contact list.

When calls come in from those unknown numbers, the device doesn't display the real number but instead shows a name from a fake contact profile. This makes it easy for users to fall into phone scams without suspecting anything.

In today's context, where people tend to text instead of call, receiving a text message or call from a relative requesting an urgent money transfer can easily catch victims off guard. And with Crocodilus, such scams become more convincing than ever.

Notably, these fake contacts are not linked to the Google account and are not synced to other devices. They only exist locally on the infected device, allowing Crocodilus to operate silently without arousing suspicion when users use Google services like Contacts or Gmail on other devices.

It is still unclear exactly how Crocodilus infects Android phones, but according to Field Effect, the malware is most likely distributed through malicious websites, fake social media promotional campaigns, SMS messages, or third-party app stores, where censorship measures are often much laxer than Google Play.

How can I protect my Android device from malware?

In the increasingly complex mobile world, Android users need to be more vigilant than ever, especially as new types of malware like Crocodilus constantly emerge and are quickly updated to evade defense measures.

From accidentally clicking on a malicious link to downloading an app infected with malware, even a small oversight can put your device a target.

That's why limiting the number of installed apps is one of the simplest and most effective ways to stay safe. With fewer apps, managing, updating, and monitoring their activity becomes easier, meaning you can detect and address threats more quickly.

In addition, you should only download apps from official sources such as the Google Play Store, Samsung Galaxy Store, or Amazon App Store. Unofficial app stores often lack rigorous security review processes, creating opportunities for malware to infiltrate users' devices.

Another important layer of protection is Google Play Protect, a built-in security tool on Android that scans installed apps and detects unusual behavior.

However, because hackers are becoming increasingly sophisticated and capable of bypassing default defense systems, you should also consider using a reputable antivirus application to enhance your security.

In cases of greater risk, such as targeted attacks or identity theft, identity protection services are also a worthwhile option, helping you recover information and finances after the incident.

Given Crocodilus's rapid development and adaptation, this may not be the last time we face the threat from this type of malware. As attack campaigns spread to many countries, raising awareness and proactive prevention are crucial.