This Android Malware Can Pretend to Be Your Bank
Published:
A new strain of Android malware known as Crocodilus is rapidly spreading across the globe and introducing dangerous new capabilities. The malware’s most recent update includes the ability to add fake contacts to victims’ phones, making it easier for attackers to impersonate trusted sources and launch convincing scams.
Originally detected in March 2025 targeting crypto users in Turkey, Crocodilus has now expanded to victims in the U.S., India, Brazil, Argentina, Spain, and Indonesia. Security researchers warn that the malware is evolving quickly, with features designed to both bypass security protections and trick users through social engineering tactics.
Fig 1. A heatmap of targeted Crocodilus victims. Source: ThreatFabric
Fake Contacts Make Scam Calls Look Real
The standout feature in the latest version of Crocodilus is its ability to programmatically add fake entries to a phone’s contact list. This allows threat actors to assign any name they want—like “Bank Support” or “Mom”—to a number under their control.
When that number calls or texts the infected phone, the name from the contact list appears, not the actual caller ID. This tactic is highly effective in deceiving users into trusting calls or messages that appear to be from known and trusted people or institutions. It’s especially dangerous because it enables scams to look legitimate at a glance.
These rogue contacts are stored only on the infected device and don’t sync with other phones or services tied to the user’s Google account, making the manipulation harder to detect.
Powerful and Hard to Detect
Crocodilus uses advanced techniques to avoid detection. It employs code obfuscation, data encryption, and a custom dropper mechanism to bypass Android’s usual security safeguards—including Google Play Protect. It can also infect devices without needing access to Android’s Accessibility Services or other common permission-based exploits.
Once installed, the malware can perform a range of harmful actions. These include stealing personal data, remote control of the device, and overlay attacks that mimic the appearance of legitimate apps to harvest login credentials, especially for banking and financial services.
How to Protect Yourself
Avoid downloading apps from unofficial or third-party app stores, as many malicious apps originate from these sources. Stick to the Google Play Store or other reputable platforms like the Samsung Galaxy Store. Always enable Google Play Protect and consider installing a reputable mobile antivirus app for added protection.
Fig 2. An advert leading to a Crocodilus download. Source: ThreatFabric
Limit the number of apps on your device to reduce your exposure and keep everything updated regularly. Be cautious of unexpected calls or messages, even from familiar names. If something seems off, verify the source through a different channel.
With Crocodilus continuing to evolve, staying alert is essential.
Sophia is a Senior Content Manager at Certo Software, showcasing her deep-rooted expertise as an accomplished writer in the tech industry. With a genuine passion for cybersecurity, Sophia is a trusted source of insight and information.