The new version of the Android malware Crocodilus comes with a rather cunning tactic: it can now add fake contacts to your address book so that when you receive a call, you believe it's someone you trust… when in reality, it's the attacker. This isn’t the only new feature. Several enhancements have also been added to help the malware stay under the radar, as all signs suggest that its attacks are expanding globally.
Initially, Crocodilus was a malware that appeared only in small, localized campaigns, such as in Turkey. Its tactics were quite basic: for instance, it displayed fake messages warning users to back up their cryptocurrency keys “within 12 hours or risk losing access.” It was a simple attempt at social engineering.
But those days are gone. Today, Crocodilus has become much more sophisticated and is spreading globally, with activity reported across various continents.
Heat Map of Recent Crocodilus Victims (Source: Threat Fabric)
The new versions of the malware show significant advancements. On one hand, it is now much harder to detect: it hides its code within the installer (the “dropper”), encrypts it using techniques like XOR, and has begun using complex obfuscation methods that make it nearly impossible to dismantle or analyze.
In addition, it has improved its data theft methods. Previously, it simply sent the captured data to the attacker, but now it analyzes that information directly on the infected device before sending it, allowing for more selective and “clean” data collection. In short, it is smarter and much more dangerous than in its early days.
Read more: EddieStealer: New Malware That Steals Data from the Chrome Browser
One of the most unsettling things the new version of the Crocodilus malware does is create fake contacts directly on your phone. Yes, just like it sounds. The malware can add names to your contact list that you didn’t add yourself, all so that when you receive a call, you see a familiar name instead of an unknown number.
Imagine getting a call from someone listed as “Bank Support” or even with the name of a family member, when in reality, it’s the attacker. That’s exactly what Crocodilus aims to achieve: to make you trust the call and let your guard down.
JS Snippet to Create a New Contact on the Device
This trick is activated through a special command received by the malware. When executed, it uses a system function in Android (an API called ContentProvider) to automatically add that fake contact to your list.
What’s most concerning is that these contacts aren’t linked to your Google account. That means they don’t sync across your other devices, making the deception even harder to detect.
All of this shows that Crocodilus is becoming increasingly cunning. It’s heavily relying on social engineering—a technique based on directly deceiving the user rather than just silently stealing data. And that makes it even more dangerous.
If you use Android, here are some basic steps you can take to avoid falling for this kind of trap:
Download apps only from Google Play or other trusted sources.
Enable Google Play Protect so your device can detect suspicious apps.
Avoid installing more apps than you truly need. The fewer apps you have, the fewer opportunities attackers have to exploit them.