Overview

• Threat Fabric first documented Crocodilus in late March targeting Turkey and now reports victims across all continents as of June 2025.
• The malware uses Android’s ContentProvider API to add fake contacts that display trusted names instead of caller IDs during incoming calls.
• Injected entries remain local and unsynced with Google accounts to evade fraud prevention and appear genuine on infected devices.
• Crocodilus spreads through malicious apps promoted outside the Play Store—often via social media ads—and employs code packing and XOR encryption to slip past defenses.
• Security experts urge Android users to stick to official app stores, minimize unnecessary installations and keep Google Play Protect enabled to reduce risk.