Android users need to be wary of new malware that turns contacts into scam tools

According to BleepingComputer, the malware in question is called Crocodile, and was first discovered in March this year by Dutch cybersecurity firm ThreatFabric. By cleverly inserting fake contact numbers into the phonebook, the malware turns the phone into a tool to deceive its owner.

Crocodile initially targeted cryptocurrency users in Türkiye, attempting to steal digital wallets. However, its reach has rapidly expanded globally, now attacking Android devices in the United States, Spain, Argentina, Brazil, Indonesia, and India.

In a new report, Canadian security firm Field Effect said Crocodilus uses a custom “dropper” to bypass Android’s default defenses.

Notably, it doesn't need access to the Accessibility Service or any special user permissions to successfully infect, and Crocodilus can even bypass Google Play Protect, a key layer of security in the Android operating system.

The latest threat from Crocodilus is of particular concern to security experts because it has the ability to add fake contacts to users' address books, allowing hackers to carry out extremely convincing spoofing attacks.

For example, you might receive a call that appears to be from your bank shortly after visiting a malicious website. In reality, it could be a sophisticated ploy to steal your personal or financial information.

Here's what you need to know about Crocodilus, including how it works and what measures you can take to protect your devices against this widespread malware.

When your own contacts become an extension of hackers

Although it has only appeared for a short time, Crocodilus has quickly become one of the most dangerous Android malware today with a series of sophisticated attack features.

Not only is it capable of remotely controlling devices, stealing data, and spoofing financial application interfaces to trick users into entering login information, Crocodilus has also just been updated with a worrying feature such as automatically adding fake contacts to the victim's phone.

Specifically, this malware can insert virtual contacts with the names of reputable organizations such as banks, large companies, or even friends and relatives into the phone's contact list.

When a call comes from such unknown numbers, the device does not display the real number but displays the name according to the fake contact profile. This makes it easy for users to fall into the trap of phone scams without any suspicion.

In today’s climate, where people tend to text rather than call, receiving a text message or call from a loved one asking for an urgent money transfer can easily catch a victim off guard. And with Crocodile, such scams are more convincing than ever.

Notably, these fake contacts are not linked to a Google account and are not synced to other devices. They only exist locally on the infected device, allowing Crocodilus to operate silently without raising suspicion when users use Google services such as Contacts or Gmail on other devices.

It's still unclear exactly how Crocodilus infects Android phones, but Field Effect says the malware is likely distributed through malicious websites, fake social media promotions, SMS messages, or apps from third-party app stores, where censorship is often much more lax than Google Play.

How to protect Android devices from malware?

In an increasingly complex mobile world, Android users need to be more vigilant than ever, especially as new types of malware like Crocodilus continue to emerge and are rapidly updated to evade defenses.

From accidentally clicking a malicious link to downloading a malware-infected app, just a small mistake can make your device a target.

That’s why limiting the number of apps you install is one of the simplest and most effective ways to stay safe. Having fewer apps makes it easier to manage, update, and monitor their activity, which means you can spot and address threats more quickly.

Additionally, you should only download apps from official sources like the Google Play Store, Samsung Galaxy Store, or Amazon App Store. Unofficial app marketplaces often lack strict security review processes, allowing malware to sneak onto users' devices.

Another important layer of protection is Google Play Protect, a security tool built into Android that scans installed apps and detects unusual behavior.

However, as hackers become more sophisticated and able to bypass default defenses, you should also consider using a reputable antivirus application for added security.

In the event of a larger risk such as a targeted attack or identity theft, identity protection services are also an option worth considering, helping you recover your information and finances after an incident.

Given the rapid pace at which Crocodile evolves and adapts, this is likely not the last time we will face the threat of this type of malware. As attack campaigns spread to many countries, raising awareness and proactive prevention is something that cannot be taken lightly.