Zimperium’s zLabs researchers have unveiled a thorough analysis of Rokarolla, a newly identified Android banking trojan that has gained notoriety for its sophisticated methods of operation. This malware, named after its command-and-control infrastructure, is particularly alarming as it targets a staggering 217 distinct banking and cryptocurrency applications. Its distribution primarily occurs through malicious websites that masquerade as popular platforms, such as TikTok and Google Chrome. One notable distribution point has been identified at hxxps://infocontablidades[.]it[.]com/.
The initial stage of the attack involves a dropper that cleverly disguises itself as Google Play Protect, a tactic designed to evade suspicion from potential victims. Once installed, the dropper’s primary objective is to facilitate the installation of a second-stage payload and secure Accessibility Services access. With this access, the malware can simulate user interactions, manipulate on-screen elements, and execute automated actions without any direct input from the user.
As detailed in the report, “This highly invasive malware is specifically designed to target and compromise 217 distinct cryptocurrency and banking applications.” The trojan employs a dynamic approach to its target list, pulling information from its command-and-control server. For each flagged application, it downloads a counterfeit HTML login page, storing it in a local SQLite database. When a victim attempts to access a legitimate app, Rokarolla overlays the fake page, capturing every credential entered, including sensitive card information.
Moreover, the malware extends its reach by deploying a fraudulent PIN entry screen that mimics the legitimate Android lock screen interface. Any credentials entered are swiftly transmitted to the attackers’ infrastructure for further exploitation. This capability allows the operator to interact with the device even when the owner is not actively using it, significantly enhancing the trojan’s effectiveness.
SMS handling is another critical aspect of Rokarolla’s functionality. The malware can read all messages on the device and send messages on behalf of the victim, enabling it to intercept one-time codes sent by banks for login and transaction approvals. Additionally, it requests default call handler status, allowing it to block incoming calls silently. This means that a warning call from a fraud detection team may never reach the victim, as the malware also mutes all device audio and vibrations during its operations, effectively masking any critical alerts.
In a further display of its stealth, the malware rewrites the clipboard silently. For instance, if a user copies a cryptocurrency wallet address, Rokarolla can replace it with an address controlled by the attacker, all without the user’s knowledge. The trojan operates a keylogger and screen content logger simultaneously, capturing everything typed and displayed on the screen. It even scrapes WhatsApp contact data by parsing on-screen UI elements.
To avoid detection, Rokarolla employs a unique surveillance mechanism that bypasses the MediaProjection API, which would typically alert users to screen recording. Instead, it captures screenshots of the victim’s device discreetly, compressing them into PNG format for exfiltration along with precise timestamps.
The command-and-control infrastructure is designed with resilience in mind, featuring multiple hardcoded fallback domains. This ensures that even if one server is taken down, operations can continue uninterrupted. The domains observed in traffic analysis include beralisvc.info, blestorians.cfd, abiorime.cfd, and morevoms.cfd, with hxxps://beralisvc[.]info confirmed as active during the analysis.
Experts emphasize that no product flaw is exploited by Rokarolla, meaning there are no patches to apply. The best defenses against this malware remain standard practices: installing apps solely from Google Play, refraining from granting Accessibility Services to unknown applications, and treating any app requesting to become the default SMS or call handler with suspicion. Zimperium’s Mobile Threat Defense and zDefend products are capable of detecting Rokarolla, and a comprehensive list of indicators of compromise, including APK hashes, is available on the company’s GitHub repository.
The report concludes with a stark reminder of the malware’s capabilities: “The malware demonstrates strong stealth, evasion, and persistence techniques designed to avoid detection and prevent user-initiated removal.”
