Recommended reading

This devious Android malware adds fake contacts to your phone to spoof trusted callers

News
By published

That call from "bank support" might end up being a scam, after all

An Android phone being held in the hand
(Image credit: Shutterstock / mindea)
  • Crocodilus Android trojan has been updated with new features
  • Among them is the ability to add a fake contact and trick people into accepting calls
  • The contacts don't sync with Google, experts say

Security researchers have spotted a new Android malware variant called Crocodilus, and what makes it stand out is the ability to add new contacts to the target device’s contacts list.

Crocodilus was first spotted in late March 2025 by security researchers Threat Fabric, when it was described as a “highly capable mobile banking Trojan” using different techniques such as overlay attacks, keylogging, and abuse of Android’s Accessibility Services, to steal sensitive data, access people’s bank accounts, steal cryptocurrency, and more.

Now, the researchers are claiming the Trojan is evolving to bypass classic defense mechanisms and wreak even more havoc. One of the key newly introduced features is the ability to modify the contact list on an infected device.

Bank support

“Upon receiving the command “TRU9MMRHBCRO”, Crocodilus adds a specified contact to the victim’s contact list,” Threat Fabric explained.

The goal of this feature is not only to increase the attacker’s control over the device, but also to make attacks harder to detect.

“We believe the intent is to add a phone number under a convincing name such as “Bank Support”, allowing the attacker to call the victim while appearing legitimate,” the researchers explained. “This could also bypass fraud prevention measures that flag unknown numbers.”

The good news is that the fake contact will not make it into people’s Google accounts, so it won’t show up on other devices.

Numerous other improvements were introduced in the latest version, as well, which are mostly focused on evading traditional detection mechanisms. Furthermore, the malware now seems to have expanded its target scope, from focusing mostly on Turkey, to going global.

Android malware and Trojans are usually distributed through fake and third-party app stores, social media channels, and email.

Therefore, users are advised to only download Android apps from reputable sources (such as the Google Play Store, or Galaxy Store), and even there - to be careful. Reading through the reviews, minding the download count, and checking the developer’s reputation is a good way to spot malware.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.