This Malware Adds a ‘Trusted’ Contact to Your Android Phone

By Emily Long

As scam detection features for calls and texts get more sophisticated, so too do the threats designed to evade such measures. Right now, Android users are being targeted with malware that can create fake contacts on your device, so calls and texts from threat actors appear under a trustworthy name rather than an unfamiliar number, making you more likely to fall for them.

How the Crocodilus malware works

The Crocodilus malware, first identified by fraud prevention firm Threat Fabric earlier this year, is a device takeover Trojan initially deployed to trick users into giving up crypto wallet seed phrases under the guise of needing to back up their keys. Once downloaded—such as via a malicious ad, smishing campaign, or third-party app—the malware was able to evade Play Protect on Android 13 (and later) and gain access to Accessibility Service, ultimately logging and harvesting typed account credentials. As a result, threat actors could gain control of and empty victims’ crypto wallets.

The latest iteration of the program has evolved to deploy a command that adds contacts to a device locally. If an attacker calls, they’ll appear in caller ID under a seemingly legitimate name, such as “Bank Support,” making targets more likely to answer and trust the contact. As Bleeping Computer reports, the fake contact isn’t connected to your Google account, so it’ll show up only on the compromised device, not any others you’ve logged into.

What Android users need to do

At first, Crocodilus campaigns were limited to a few countries, but the malware has now spread around the world, including to the U.S. To avoid infecting your Android device, stick to Google Play for downloading trusted apps and software, and keep Play Protect active to catch as many threats as possible.

Continue reading