- Crocodilus Android trojan has been updated with new features
- Among them is the ability to add a fake contact and trick people into accepting calls
- The contacts don't sync with Google, experts say
Security researchers have spotted a new Android malware variant called Crocodilus, and what makes it stand out is the ability to add new contacts to the target device’s contacts list.
Crocodilus was first spotted in late March 2025 by security researchers Threat Fabric, when it was described as a “highly capable mobile banking Trojan” using different techniques such as overlay attacks, keylogging, and abuse of Android’s Accessibility Services, to steal sensitive data, access people’s bank accounts, steal cryptocurrency, and more.
Now, the researchers are claiming the Trojan is evolving to bypass classic defense mechanisms and wreak even more havoc. One of the key newly introduced features is the ability to modify the contact list on an infected device.
Bank support
“Upon receiving the command “TRU9MMRHBCRO”, Crocodilus adds a specified contact to the victim’s contact list,” Threat Fabric explained.
The goal of this feature is not only to increase the attacker’s control over the device, but also to make attacks harder to detect.
“We believe the intent is to add a phone number under a convincing name such as “Bank Support”, allowing the attacker to call the victim while appearing legitimate,” the researchers explained. “This could also bypass fraud prevention measures that flag unknown numbers.”
The good news is that the fake contact will not make it into people’s Google accounts, so it won’t show up on other devices.
Numerous other improvements were introduced in the latest version, as well, which are mostly focused on evading traditional detection mechanisms. Furthermore, the malware now seems to have expanded its target scope, from focusing mostly on Turkey, to going global.
Android malware and Trojans are usually distributed through fake and third-party app stores, social media channels, and email.
Therefore, users are advised to only download Android apps from reputable sources (such as the Google Play Store, or Galaxy Store), and even there - to be careful. Reading through the reviews, minding the download count, and checking the developer’s reputation is a good way to spot malware.
Via BleepingComputer
You might also like
- These dangerous Android malware apps have been installed millions of times
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
