[ALERT For Android Phones] "THIS MALWARE ADDS A 'TRUSTED' CONTACT TO YOUR ANDROID PHONE"

 

Reposting EN TOTO from lifehacker.com datelined 06.04.2025 [from Emily Long]:  "THIS MALWARE ADDS A 'TRUSTED' CONTACT TO YOUR ANDROID PHONE".  As scam detection features for calls and texts get more sophisticated, so too do the threats designed to evade such measures. Right now, Android users are being targeted with malware that can create fake contacts on your device, so calls and texts from threat actors appear under a trustworthy name rather than an unfamiliar number, making you more likely to fall for them.  The Crocodilus malware, first identified by fraud prevention firm Threat Fabric earlier this year, is a device takeover Trojan initially deployed to trick users into giving up crypto wallet seed phrases under the guise of needing to back up their keys

Once downloaded—such as via a malicious ad, smishing campaign, or third-party app—the malware was able to evade Play Protect on Android 13 (and later) and gain access to Accessibility Service, ultimately logging and harvesting typed account credentials. As a result, threat actors could gain control of and empty victims' crypto wallets.  The latest iteration of the program has evolved to deploy a command that adds contacts to a device locally. If an attacker calls, they'll appear in caller ID under a seemingly legitimate name, such as "Bank Support," making targets more likely to answer and trust the contact. As Bleeping Computer reports, the fake contact isn't connected to your Google account, so it'll show up only on the compromised device, not any others you've logged into

WHAT ANDROID USERS need to do?  At first, Crocodilus campaigns were limited to a few countries, but the malware has now spread around the world, including to the U.S. To avoid infecting your Android device, stick to Google Play for downloading trusted apps and software, and keep Play Protect active to catch as many threats as possible

FAKE CONTACTs.  A notable feature in the latest Crocodilus malware version is the ability to add fake contacts on the victim's device. Doing so would cause the device to display the name listed in a caller's contact profile rather than the caller ID when receiving an incoming call. This could allow the threat actors to impersonate trusted banks, companies, or even friends and family members, making the calls appear more trustworthy

Crocodilus can variously manipulate text messages, e.g., set itself as the default SMS manager, send SMS to a specific number or to all contacts (options to send just a single message or large numbers), and acquire SMS contents.  The trojan's text message abilities allow it to be used as Toll Fraud malware; however, it has not been employed in this capacity as of the time of writing. Since this program can send SMSes in bulk, it could be utilized to send spam or even self-proliferate through lures sent in text messages.  Our FIX:  Please run SCAN ASAP on your Android device