Particle.news

Download on the App Store

Crocodilus Android Malware Gains Fake-Contact Trick During Global Expansion

The latest trojan update secretly plants local entries under names like 'Bank Support' to fool users

Image
Image
Image
Image

Overview

  • Threat Fabric first documented Crocodilus in late March targeting Turkey and now reports victims across all continents as of June 2025.
  • The malware uses Android’s ContentProvider API to add fake contacts that display trusted names instead of caller IDs during incoming calls.
  • Injected entries remain local and unsynced with Google accounts to evade fraud prevention and appear genuine on infected devices.
  • Crocodilus spreads through malicious apps promoted outside the Play Store—often via social media ads—and employs code packing and XOR encryption to slip past defenses.
  • Security experts urge Android users to stick to official app stores, minimize unnecessary installations and keep Google Play Protect enabled to reduce risk.