Android users beware: A deceptive new malware called “Crocodilus” is adding fake bank contacts to phones, making scam calls appear legitimate while stealing cryptocurrency and sensitive information.
Key Takeaways
- The Crocodilus Android Trojan creates fake trusted contacts like “Bank Support” on infected devices to make phishing calls appear legitimate
- This sophisticated malware specifically targets cryptocurrency wallets by tricking users into revealing their seed phrases
- Crocodilus bypasses Google Play Protect on Android 13+ and has expanded its reach globally including to the United States
- The malware uses Accessibility Services to gain extensive control over infected devices, stealing credentials and enabling remote operation
- Users can protect themselves by only downloading apps from Google Play, keeping security features active, and verifying contacts independently
A New Evolution in Android Malware Tactics
The Crocodilus Android Trojan represents a concerning evolution in mobile malware, utilizing sophisticated social engineering techniques to compromise devices. Initially documented by security firm Threat Fabric in March 2025, the malware has expanded from small-scale campaigns in Turkey to a global threat that now affects American smartphone users. What makes this malware particularly dangerous is its ability to exploit Android’s Accessibility Service, giving attackers near-complete control over infected devices while bypassing traditional security measures that would normally protect users from such intrusions.
“This further increases the attacker’s control over the device. We believe the intent is to add a phone number under a convincing name such as ‘Bank Support,’ allowing the attacker to call the victim while appearing legitimate,” said Threat Fabric.
How the Fake Contact Deception Works
The latest version of Crocodilus introduces a particularly insidious feature: the ability to create fake contacts directly on infected devices. These counterfeit entries appear alongside legitimate contacts in the user’s address book but don’t sync with Google accounts – they exist only on the compromised device. When scammers call or text from these numbers, the victim’s phone displays a trusted name like “Bank Support`” making what would otherwise be suspicious communications appear legitimate. This tactic is specifically designed to bypass built-in scam detection features on modern smartphones.
“Upon receiving the command ‘TRU9MMRHBCRO’, Crocodylus adds a specified contact to the victim’s contact list,” said Threat Fabric.
Cryptocurrency Theft and Data Harvesting Capabilities
The primary objective of Crocodylus appears to be cryptocurrency theft. The malware tricks users into revealing crypto wallet seed phrases through various deceptive tactics, including bogus error messages that prompt users to enter their recovery keys. Once infected, the malware logs and harvests all typed account credentials, giving attackers the ability to control and empty victims’ cryptocurrency wallets. Recent updates to the malware have enhanced its data theft capabilities, allowing it to parse stolen information locally before exfiltration for more targeted attacks.
Infection Methods and Evasion Techniques
Crocodilus spreads through several common attack vectors including malicious advertisements, smishing (SMS phishing) campaigns, and third-party app downloads. The malware employs sophisticated evasion techniques to avoid detection, including code packing, XOR encryption, and code convolution that hinders reverse engineering attempts. Most concerning for security experts is the malware’s ability to bypass Google Play Protect on Android 13 and later versions, which should theoretically protect users from such threats. This capability demonstrates the advanced nature of the threat and the continuous cat-and-mouse game between security providers and malware developers.
Protecting Your Device From Crocodilus
To safeguard Android devices against Crocodilus and similar threats, users should implement several security best practices. Download apps exclusively from the Google Play Store rather than third-party sources, and ensure Google Play Protect remains active on your device. Be vigilant about social engineering tactics – avoid downloading attachments or clicking links in unsolicited communications, regardless of how urgent they claim to be. If you receive a call purporting to be from your bank or another trusted entity, hang up and call back using the official number from their website or the back of your credit card.
Regularly check your contacts list for entries you don’t recognize, especially those that appear to be from financial institutions or support services. These could be indicators of compromise. Additionally, avoid reacting to emotionally charged messages demanding immediate action, as these are common social engineering tactics used to bypass your normal security awareness. With Crocodilus rapidly evolving and expanding its reach, maintaining vigilance against these sophisticated attacks has become increasingly important for all Android users.
