Warning Issued As Android Attack Turns Your Contacts Into Hackers

By Davey Winder

No sooner has Google published a critical threat advisory warning users of the most prolific campaigns targeting their users, than a new and highly dangerous cyberattack has emerged, creating new Android contacts to deceive victims into thinking everything is safe and secure. Here’s everything you need to know about the latest global Crocodilus malware threat.

How Crocodilus Turns Your Android Phone Contacts Into Hackers

With Android users already under attack from AI-driven threats, as Google has confirmed, and multiple vulnerabilities for the Chrome web browser app on your phone being discovered, users are advised to take security more seriously than ever before. Google is fighting back, of course, automatically turning vulnerable passwords into strong passkeys, and adding in-call security protections. Yet still, the attackers continue to evolve and innovate. The threat actors behind the Crocodilus malware are a good, or should that be evil, example of this.

The Crocodilus Android threat has evolved very quickly in the three months since it was first discovered. In a June 3 report, security researchers at Threat Fabric have not only confirmed that the malware campaign is now global, but it has gained a sinister new capability: it can turn your contacts into hackers.

Yes, I appreciate this all sounds like something from a David Blaine magic show, but believe me, it’s both very real and very dangerous. Crocodilus was already a nasty bit of work, being able to steal data remotely and efficiently. Now it has started adding fake entries to victim contacts for use in social engineering attacks, so the victim is more likely to trust the call or text message they receive as it comes from, well, someone they have in their contacts.

Once infected with Crocodilus, the attackers just need to send a single command to the Android device, and a specified contact will be automatically added to the victim’s contact list. “We believe the intent is to add a phone number under a convincing name such as Bank Support,” the Threat Fabric researchers said, “allowing the attacker to call the victim while appearing legitimate.” This tactic can also make bypassing fraud protection measures more likely if they flag unknown sources, for example.