A newly-spotted Trojan app steals crypto and banking info, but goes one step further to make social engineering attacks easier.
At this point, I get so many spam calls that my blood pressure rises when numbers show up on my phone’s call screen. A new piece of Android malware seems to be designed around that instinctive revulsion, injecting fake contacts into your phone to make spam and scam calls look legitimate. It’s brilliant, in the evil way that only scammers can be.
This is a new variation on the known Crocodilus malware, which has a primary function of taking over an Android phone to find and steal crypto wallet info. But the new behavior, discovered by Threat Fabric, is particularly interesting. According to the report, the novel behavior of the malware creates fake entries in a user’s Contacts list. The idea is clever: instead of seeing an unknown number, you see a name like “Bank Support,” and it’s meant to put you at ease so you’re more vulnerable to social engineering attacks.
Crocodilus’ main functions appear to still be focused on theft of cryptocurrency and banking info, with malicious Facebook ads focusing on users in Turkey but expanding to larger operations in Europe, South America, and the United States. The social engineering aspect of the malware appears to be an afterthought… but it makes sense. If you have a Trojan program loaded onto someone’s phone and you’ve found that they have vulnerable bank accounts or crypto wallets, you might try passing their info off to a social engineering team to see if you can steal anything else of value.
So far, the Crocodilus malware has only been observed on Android, and only seen in delivery form via unsecured “sideload” installations. But spoofing contact data on the user side—as opposed to faking caller ID info—is a novel means of attack.