Crocodilus malware adds fake entries to victims' contact lists in new scam campaign

A new Android banking trojan known as Crocodilus is rapidly evolving, adding new features and spreading across Europe, South America and parts of Asia, researchers have found.

The malware’s latest version can insert fake entries into victims’ contact lists, allowing attackers to impersonate trusted sources — such as bank support lines — and trick users into answering fraudulent calls, potentially bypassing fraud prevention systems that flag unknown numbers, Dutch cybersecurity firm ThreatFabric said in a report on Tuesday.

“With newly added features, Crocodilus is now more adept at harvesting sensitive information and evading detection,” researchers added.

The malware is typically distributed through malicious advertisements, primarily on Facebook, researchers said. ThreatFabric found that the ads remained online for only one to two hours, but each was viewed more than 1,000 times, mostly by users over the age of 35 — suggesting a focus on financially stable targets. 

Victims who clicked the download button were redirected to a malicious website that delivered the Crocodilus dropper, which can bypass the security restrictions for app installations in Android 13 and later versions.

The malware was first identified in March, and was originally spotted in limited test campaigns. However, Crocodilus has since launched a growing number of attacks, researchers said. 

In Poland, it was distributed via Facebook ads mimicking popular banks and shopping apps, while in Turkey it masqueraded as an online casino, overlaying real financial apps with fake login screens. In Spain, it posed as a browser update and targeted nearly all major banks.

Its campaigns have also been observed targeting users in Argentina, Brazil, India, Indonesia and the United States.

ThreatFabric researchers said the malware’s geographic expansion and technical sophistication suggest the involvement of a well-resourced and organized threat actor. They have not yet attributed the malware to a specific cybercrime group.

Banking trojans are common tools among cybercriminals, designed to steal sensitive financial information. Their deployment often leads to unauthorized transactions, account takeovers and significant monetary losses for victims.

Last September, researchers discovered new Android malware used to steal information from bank customers in Central Asia. Known as Ajina Banker, the malware is delivered through malicious files disguised as legitimate financial applications, government service portals, or everyday utility tools. 

Another banking trojan, known as Chavecloak, has been targeting Brazilian users by stealing their banking credentials, researchers said. The malware is spread through a malicious PDF file, and victims often realize their information has been compromised only after the infection has occurred.