These days, spam calls are such a constant nuisance that many of us instinctively flinch when an unknown number flashes across our phones. But a new Android malware strain is turning that stress response into a security liability. The latest variant of the Crocodilus malware has been observed using a particularly devious tactic: injecting fake entries into a phone’s contact list to make scam calls appear trustworthy. Rather than showing up as suspicious unknown numbers, these calls can now be masked under misleading labels like “Bank Support” or “Crypto Help Desk,” increasing the odds that victims might pick up—and let their guard down.
This new trick was uncovered by security researchers at Threat Fabric and shared by BleepingComputer, building on the previously known functions of Crocodilus. At its core, the malware is designed to compromise Android devices in order to steal cryptocurrency and banking credentials, often after being distributed through malicious Facebook ads. While Turkey remains a primary target, the malware’s reach has been expanding, now affecting users across Europe, South America, and the United States. The fake contact injection is a relatively new evolution of its behavior, but one that suggests a growing focus on psychological manipulation as a means to extract sensitive information from already-compromised devices.
The cleverness—evil as it is—comes from shifting away from the traditional scam model. Instead of relying solely on spoofed caller ID data, Crocodilus alters what you see in your own Contacts app, giving the scam call an illusion of legitimacy that could bypass your usual skepticism. It’s a subtle shift, but one that could make social engineering tactics significantly more effective. Once the malware is installed and identifies vulnerable financial data on a target’s phone, it likely hands off control to a scam team that uses this personal information to try and extract more—be it crypto, logins, or additional access. It’s organized digital crime, and it’s getting more manipulative.
So far, Crocodilus infections have only been observed through sideloaded Android apps—meaning they come from outside the Google Play Store, often disguised as legitimate software in online ads. But this approach of contact manipulation could easily extend beyond Android phones. Think fake contacts in your Gmail account to aid in phishing emails, or manipulated Outlook entries that lend false credibility to a message. The takeaway here is universal: avoid downloading apps from shady ads or unknown sources, and stay wary—even when a call or message looks familiar. Because in this case, that’s exactly what the malware is counting on.
