Android Users Vulnerable To Crocodilus Phishing Attacks

What is Crocodilus Malware?

Crocodilus is a new strain of Android malware is targeting users by creating fake contacts on infected devices. These fake entries are labeled with names of trusted institutions—such as your bank, employer, or government agencies—but are actually controlled by threat actors.

Why It’s Dangerous:

When attackers call or text, their messages appear under familiar and trustworthy names instead of unknown numbers. This makes users far more likely to trust the communication and fall for phishing schemes.

• Highly deceptive: The fake contact approach bypasses many users’ suspicion.

• Bypasses basic fraud detection by appearing as “known” contacts.

• Targets financial apps: Often focused on stealing banking info or bypassing MFA.

How It Works

1. Initial Infection:

   • Spreads via malicious APKs outside the Google Play Store.

   • Often disguised as legitimate or popular applications (e.g., banking, messaging, or support apps).

2. Fake Contacts Injection:

   • Once installed, it adds fake entries to the victim’s contact list, using names of trusted entities like banks, government agencies, or even coworkers.

   • These spoofed contacts can initiate calls or messages that appear credible.

3. Phishing via Calls or Texts:

   • Users may receive calls from numbers labeled as “Bank Support” or similar, but the source is the attacker.

   • This social engineering trick aims to harvest login credentials, OTPs, or personal info.

4. Permissions Abuse:

   • Requests excessive permissions, including access to SMS, contacts, call logs, and accessibility services.

   • May use these to intercept 2FA codes and monitor device activity.

How to Avoid this Scam:

• Avoid sideloading APKs — Only install apps from trusted sources like Google Play.

• Check app permissions — Revoke unnecessary permissions for apps.

• Use mobile security software — Reputable AV apps can detect suspicious behavior.

• Stay vigilant for phishing — Just because a contact looks familiar doesn’t mean it’s legit.

• Keep software updated — Ensure your Android OS and apps are up to date.

• Be skeptical of urgent calls or texts—even from contacts that seem legit.

• Avoid downloading apps from unofficial sources.

• Review your contact list for suspicious or duplicated entries.

• Use a reputable mobile security app to scan your device.

In Conclusion:

Crocodilus is a sophisticated Android malware that uses social engineering to trick users into revealing sensitive information. Its key feature is the ability to inject fake contacts into the victim’s phone, labeling them with names of trusted organizations (like banks or government agencies). This makes calls and texts from attackers appear legitimate.