Android users beware: A dangerous new malware called Crocodilus is adding fake contacts to your phone to make scam calls appear legitimate, potentially emptying your crypto wallets.
Key Takeaways
- Crocodilus malware plants fake contacts in Android phones to make phishing calls appear as trusted sources like “Bank Support”
- The Trojan specifically targets cryptocurrency wallet seed phrases, allowing attackers to drain victims’ digital assets
- The malware exploits Android’s Accessibility Service to bypass security features and harvest sensitive login credentials
- Originally appearing in Turkey, Crocodilus has now spread globally, including to the United States
- Users can protect themselves by downloading apps only from Google Play, keeping Play Protect active, and verifying contacts independently
The Deceptive Evolution of Crocodilus
The cybersecurity landscape is becoming increasingly treacherous for Android users as sophisticated malware like Crocodilus continues to evolve with alarming capabilities. First documented by security researchers in March 2025, this Trojan has transformed from a regionally-focused threat in Turkey to a global menace with enhanced social engineering tactics. The malware’s most concerning new feature allows it to create convincing fake contacts in a victim’s phone, making scam calls appear legitimate when threat actors reach out to steal sensitive information or cryptocurrency assets.
“This further increases the attacker’s control over the device. We believe the intent is to add a phone number under a convincing name such as ‘Bank Support,’ allowing the attacker to call the victim while appearing legitimate,” according toThreat Fabric, Bleeping Computer
The fake contacts added by Crocodilus don’t sync with Google accounts and only appear on the compromised device, making them difficult to detect remotely. This clever manipulation creates a false sense of security for users who might otherwise question the legitimacy of calls or messages from unknown numbers. By exploiting our natural tendency to trust recognized contacts, cybercriminals have created an extraordinarily effective method for conducting high-success-rate phishing attacks.
How Crocodilus Attacks Your Device
Crocodilus typically infiltrates Android devices through malicious advertisements, smishing (SMS phishing) campaigns, or third-party application downloads. Once installed, the Trojan exploits Android’s Accessibility Service to gain extensive control over the device while evading detection. This access allows the malware to log keystrokes, harvest credentials, and even bypass Google Play Protect on Android 13 and later versions. The sophistication of this malware represents a disturbing advancement in attack methodology targeting everyday Americans.
“Upon receiving the command ‘TRU9MMRHBCRO’, Crocodilus adds a specified contact to the victim’s contact list,” according to Threat Fabric, Bleeping Computer
Recent updates to Crocodilus have introduced more advanced evasion techniques, including code packing, XOR encryption, and code convolution to hinder reverse engineering efforts by security researchers. The malware now also parses stolen data locally before exfiltration, ensuring higher-quality information theft. These improvements demonstrate how cybercriminals continue to refine their tools while government agencies fail to adequately protect American citizens from such digital threats.
Targeting Cryptocurrency Holders
Crocodilus has a particular focus on cryptocurrency theft, employing specialized social engineering tactics to trick users into revealing their wallet seed phrases. These phrases are essentially the master keys to cryptocurrency wallets, and once obtained, attackers can completely drain victims’ digital assets. The malware displays convincing error messages that prompt users to enter their recovery phrases, which are then transmitted to the criminals. With cryptocurrency adoption growing among conservative investors seeking alternatives to inflation-ravaged traditional currencies, this threat poses significant financial risks.
The threat actors behind Crocodilus have demonstrated remarkable technical sophistication and patience in their approach. Rather than relying on quick, unsophisticated attacks, they’ve invested in developing a comprehensive remote control system for infected devices. This allows them to carefully time their attacks for maximum effectiveness, sometimes lying dormant for extended periods before activating the fake contact feature to initiate their scams. The level of planning involved suggests professional criminal organizations may be behind these operations.
Protecting Yourself From Crocodilus
To safeguard against Crocodilus and similar threats, Android users should implement several defensive measures. First and foremost, only download applications from the official Google Play Store, and even then, carefully review permissions requested by apps before installation. Keep Google Play Protect enabled at all times as an additional security layer. Be especially wary of unexpected communications, even those appearing to come from trusted contacts, particularly if they involve financial matters or contain urgent requests.
Independently verify contact information before responding to calls or messages requesting sensitive information. Never download attachments or click links from unsolicited communications, regardless of how legitimate they may appear. Avoid reacting to emotionally charged messages demanding immediate action, as this is a common tactic used by scammers to bypass rational decision-making. As government agencies continue to focus resources on other priorities, individual vigilance remains the most effective defense against these sophisticated cyber threats targeting hardworking Americans.
