Full Report
The latest version of the 'Crocodilus' Android malware has introduced a new mechanism that adds a fake contact on the infected device's contact list to deceive victims. [...]
Analysis Summary
# Tool/Technique: Crocodilus
## Overview
Crocodilus is an evolving Android malware family known for employing social engineering tactics to increase its trustworthiness and gain better control over victim devices, specifically by spoofing trusted callers via the creation of fake contacts.
## Technical Details
- Type: Malware family
- Platform: Android
- Capabilities: Creating local, untrusted contacts programmatically to spoof caller ID information, social engineering.
- First Seen: Not explicitly mentioned in the text.
## MITRE ATT&CK Mapping
*Note: Direct, specific TTPs were not provided, but based on functionality relating to contact manipulation and impersonation via calls:*
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (Implied, as C2 commands drive actions)
- TA0005 - Defense Evasion (Potentially, to masquerade malicious activity)
- T1555 - Credentials from Web Session Cookie (If contact modification aids in phishing)
- TA0010 - Data Exfiltration (Contact data is manipulated, related to impact)
The specific functionality described maps closely to:
- T1081 - Steal Application Access Token (If the malware is aiming to use contacts for further access)
- T1119 - Automated Collection (If contacts are persistently collected/modified)
## Functionality
### Core Capabilities
- **Fake Contact Creation:** Uses the ContentProvider API upon receiving a specific command ("TRU9MMRHBCRO") to programmatically create new local contacts on the Android device.
- **Caller ID Spoofing:** The newly created contacts display their assigned fake name (e.g., "Bank Support") instead of the actual caller ID when the attacker calls from their number, leading victims to believe the call is legitimate.
### Advanced Features
- **Social Engineering Focus:** Demonstrates an affinity for social engineering tactics.
- **Local Persistence:** The rogue contact is created locally and is not synced with the user's Google account, isolating the malicious contact modification to the device.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys: [Not applicable for Android contacts manipulation described]
- Network Indicators: [Not provided]
- Behavioral Indicators: Programmatic creation of local contacts via ContentProvider API after receiving the 'TRU9MMRHBCRO' command string; appearing to call users using names listed in the device's contact profile.
## Associated Threat Actors
- Threat Fabric (The entity reporting on the malware). The specific threat actor group using Crocodilus is not named in the provided text, only that it is a malware family.
## Detection Methods
- Signature-based detection: [Not provided]
- Behavioral detection: Monitoring for applications using the ContentProvider API to create or modify contacts without explicit user creation/consent, especially following specific command execution.
- YARA rules: [Not provided]
## Mitigation Strategies
- **Application Sourcing:** Android users should only download software from the Google Play Store or other trusted publishers.
- **Security Feature Enforcement:** Ensure Google Play Protect is always active.
- **Minimization:** Minimize the number of installed applications to the necessary minimum.
## Related Tools/Techniques
- General Android malware techniques involving SMS interception or contact list abuse. (No specific related malware families named in the text.)