The cybersecurity landscape has recently been shaken by the emergence of a new banking trojan for Android, known as Rokarolla. This sophisticated malware is specifically engineered to pilfer credentials and sensitive financial data from users. It casts a wide net, targeting a staggering 217 applications, which encompass both traditional banking services and cryptocurrency platforms. The operational backbone of Rokarolla is a command and control (C2) server that facilitates the distribution of instructions and necessary components to execute its fraudulent activities.
Intriguingly, the initial infection vector bypasses the official Google Play Store entirely. Instead, it exploits phishing websites that masquerade as legitimate download portals. Through this cunning deception, attackers entice users into downloading what they believe are updates or new versions of popular applications like Google Chrome or TikTok. Once this initial installer, often referred to as a dropper, is executed, it triggers the download of a secondary payload that marks the commencement of the attack.
To seamlessly integrate into the victim’s system while evading the operating system’s security measures, Rokarolla cleverly disguises itself under the guise of the Google Play Protect security tool. By adopting this false identity, the malware requests activation of Android Accessibility Services. If users comply, the trojan gains the ability to autonomously interact with the device’s interface, read screen content, and even grant itself additional permissions without any further user input.
A malware that manages to overcome
The primary method employed by Rokarolla to extract confidential data is through dynamic screen overlays. The trojan vigilantly monitors the applications that users engage with in the foreground. Upon detecting access to one of the targeted financial applications, it overlays a counterfeit HTML-based interface that closely mimics the legitimate app’s design. Consequently, when users enter their PIN numbers, passwords, or card details into this deceptive layer, that information is swiftly transmitted to the attackers’ servers. This technique is also utilized to impersonate the device’s lock screen, capturing the access pattern of the user.
Beyond credential theft via overlays, Rokarolla is equipped with passive monitoring and data manipulation capabilities. Rather than relying on continuous video streaming, the trojan employs a pseudo-VNC system that intermittently captures screenshots, processes them, and extracts relevant data with timestamps. This method allows it to gather critical information without raising suspicion.
Moreover, Rokarolla possesses the alarming ability to modify the contents of the device’s clipboard. This feature is particularly detrimental to cryptocurrency transactions, as it can detect when a destination address is copied and stealthily replace it with an account controlled by the cybercriminals before the transaction is finalized.
