In a nutshell: Spam phone calls from scammers are, unfortunately, still common despite efforts from Apple and Google to block them. As Android malware developers become increasingly sophisticated, a new security report describes a new strain that aims to counteract anti-spam call protections.
Security researchers from Threat Fabric recently outlined a new form of malware targeting banking information on Android phones. Although the hacking campaign's objective isn't unusual, the report describes some innovative tactics.
The malware, labeled Crocodilus, impersonates banking and cryptocurrency apps from numerous countries to steal users' credentials and access their accounts. In one instance, hackers briefly spread malicious app downloads through Facebook ads in Poland. Crocodilus was also found disguised as an online casino targeting Turkish users and as a browser update for Spanish users. It can target users of almost any Spanish banking app and has also been detected in Argentina, Brazil, the US, Indonesia, and India.
Once installed, the malware begins monitoring banking apps and can bypass security measures in Android 13 and later. When users launch a legitimate app, Crocodilus can display a fraudulent login overlay. Following a recent update, it can also attempt to appear legitimate by adding a fake contact to a user's phone.
Since scam calls have been common for years, many users have likely learned to ignore calls from unfamiliar numbers, and built-in security measures often warn users when receiving suspicious calls. Crocodilus attempts to trick users by labeling malicious contacts under names such as "Bank Support" to circumvent fraud protection.
Crocodilus also uses multiple obfuscation techniques to avoid detection and analysis. It uses code packing for the dropper and payload, applies an additional XOR encryption layer, and resists reverse engineering with deliberately convoluted code.
Users should always be wary of calls from numbers they don't recognize and ensure that they are entering login details into the correct app or on the right website URL. Manually navigating to websites or apps instead of following links can help avoid phishing attacks.
However, hackers have devised numerous ingenious ways to sneak malware into Android phones. Fraudulent apps that look and function like legitimate software while stealing data often lurk on the Google Play Store, and cheap or counterfeit devices can contain malware that was installed before they reached store shelves. Last year, researchers sounded the alarm on malware called "FakeCall" that intercepts and redirects calls users make to financial institutions. Hackers may begin exploiting contact lists as a new attack vector.