A new variant of the Android Trojan Crocodilus has learned to impersonate trusted callers by adding fake entries to the victim’s contact book. This way, attackers can impersonate «bank support» and increase the chances of successful fraud.
A new variant of the Android Trojan Crocodilus has learned to impersonate trusted callers by adding fake entries to the victim’s contact book. This way, attackers can impersonate «bank support» and increase the chances of successful fraud.
As reported by Bleeping Computer, researchers at Threat Fabric have detected an updated version of the Crocodilus mobile Trojan that has become even more insidious. The main innovation is the ability to add new entries to the user’s contact list, which allows attackers to call the victim allegedly on behalf of «bank support» or another authoritative structure.
According to experts, the new feature is activated by a special command — «TRU9MMRHBCRO,» after which a contact with a specified name and number is created on the infected device. This allows attackers to bypass anti-fraud systems, which usually ignore calls from unknown numbers.
Crocodilus was first detected in March 2025 and has undergone several waves of updates since then. Despite the technical complexity of the implementation, experts emphasize that users can significantly reduce the risk of infection by avoiding third-party sources of programs, checking reviews, developer reputation, and the number of downloads, even on Google Play.
In addition, Crocodilus continues to employ a set of classic tactics: overlaying fake windows on top of legitimate applications, keylogging, and abusing Android Accessibility Services. The targets remain bank accounts, cryptocurrency wallets, and personal data.
The Trojan has now spread beyond its original target, Turkey, and is active globally. Attackers are distributing it via fake apps on unofficial websites, social media, and email.
We also recently wrote about how cybercriminals have learned to use abandoned web resources of well-known companies to launch phishing campaigns and distribute malware. Subdomains of Bose, Panasonic, Deloitte, and even the US Centers for Disease Control and Prevention have already fallen victim.
