Android users need to be wary of new malware that turns contacts into scam tools

According to BleepingComputer, the malware in question is called Crocodile, first discovered in March this year by Dutch cybersecurity firm ThreatFabric. By cleverly inserting fake contact numbers into the phonebook, the malware turns the phone into a tool to deceive its owner.

Crocodile initially targeted cryptocurrency users in Türkiye to steal digital wallets. However, its reach has rapidly expanded globally, now attacking Android devices in the United States, Spain, Argentina, Brazil, Indonesia, and India.

In a new report, Canadian security firm Field Effect said Crocodilus uses a custom “dropper” to bypass Android’s default defense mechanisms.

Notably, it doesn't need access to the Accessibility Service or any special user permissions to successfully infect. Crocodile can even bypass Google Play Protect, a key security layer of the Android operating system.

The latest Crocodile threat is of particular concern to security experts because it has the ability to add fake contacts to users' address books, allowing hackers to carry out extremely convincing impersonation attacks.

For example, you may receive a call that appears to be from your bank shortly after visiting a malicious website. In reality, it could be a sophisticated ploy to steal your personal or financial information.

Here's what you need to know about Crocodile, including how it works and what you can do to protect your devices from this widespread malware.

When your own contacts become an extension of hackers

Although it has only appeared for a short time, Crocodile has quickly become one of the most dangerous Android malware today with a series of sophisticated attack features.

Not only is Crocodile capable of remotely controlling devices, stealing data, and spoofing financial app interfaces to trick users into entering login information, it has also been updated with a worrying feature that automatically adds fake contacts to the victim's phone.

Specifically, this malware can insert virtual contacts with the names of reputable organizations such as banks, large companies, or even friends and relatives into the phone's contact list.

When a call comes from such unknown numbers, the device does not display the real number but displays the name according to the fake contact profile. This makes it easy for users to fall into the trap of phone scams without suspecting anything.

In today’s climate, when people tend to text rather than call, receiving a text or call from a loved one asking for an urgent money transfer can easily catch a victim off guard. And with Crocodile, such scams are more convincing than ever.

Notably, these fake contacts are not linked to a Google account and are not synced to other devices. They only exist locally on the infected device, allowing Crocodilus to operate silently without raising suspicion when users use Google services such as Contacts or Gmail on other devices.

It's still unclear exactly how Crocodilus infects Android phones, but Field Effect says the malware is likely distributed through malicious websites, fake social media promotions, SMS messages, or apps from third-party app stores, where censorship is often much looser than Google Play.

How to protect Android devices from malware?

In an increasingly complex mobile world, Android users need to be more vigilant than ever, especially as new malware strains like Crocodile continue to emerge and are rapidly updated to evade defenses.

From accidentally clicking a malicious link to downloading a malware-infected app, just a small mistake can make your device a target.

That’s why limiting the number of apps you install is one of the simplest and most effective ways to stay safe. Having fewer apps makes it easier to manage, update, and monitor their activity, which means you can spot and address threats more quickly.

Additionally, you should only download apps from official sources such as the Google Play Store, Samsung Galaxy Store, or Amazon App Store. Unofficial app stores often lack strict security review processes, making it easier for malware to sneak onto users' devices.

Another important layer of protection is Google Play Protect, a security tool built into Android that scans installed apps and detects unusual behavior.

However, as hackers become increasingly sophisticated and able to bypass default defenses, you should also consider using a reputable antivirus application for added protection.

In the event of a larger risk such as a targeted attack or identity theft, identity protection services are also an option worth considering, helping you recover your information and finances after an incident.

Given the rapid pace at which Crocodile evolves and adapts, this is unlikely to be the last time we face the threat of this type of malware. As campaigns spread to multiple countries, awareness and proactive prevention cannot be overlooked.