A new Android banking trojan, dubbed Rokarolla, has emerged as a significant threat, targeting an impressive array of 217 banking and cryptocurrency applications. This malware boasts a comprehensive arsenal of 137 commands, designed to execute a range of malicious activities.
Distribution and Installation
Rokarolla is primarily disseminated through deceptive websites that masquerade as legitimate sources for popular applications like Google Chrome and TikTok. Upon installation, the malware takes on the role of a dropper, cleverly impersonating Google Play Protect, Android’s built-in anti-malware system. This tactic lures users into installing the infected versions of these applications.
Once activated on a device, Rokarolla seeks Accessibility service permissions alongside access to notifications, SMS, and calls. According to a report from mobile security firm Zimperium, this initial step is crucial for the malware’s functionality.
Source: Zimperium
Command-and-Control Communication
Upon installation, the malware establishes communication with its command-and-control (C2) server, transmitting a basic device profile that includes details such as the phone model, Android version, locale, display characteristics, battery level, storage capacity, and available RAM. This information is instrumental in generating a unique identifier for each victim within the Rokarolla campaign.
Zimperium’s analysis indicates that the primary aim of Rokarolla is to pilfer financial information. The malware cross-references the infected device against its list of targeted applications and subsequently downloads phishing payloads tailored to any matches.
Data Theft Mechanisms
When a victim interacts with an app from the targeted list, Rokarolla employs a deceptive login overlay, designed to capture sensitive information such as login credentials and credit card details. This overlay technique extends beyond mere data theft; it also enables the malware to capture lock-screen PINs or patterns and maintain control over the device, even when it is locked.
Source: Zimperium
Source: Zimperium
Advanced Evasion Tactics
Rokarolla employs a variety of evasion strategies, including disabling Google Play Protect, concealing the application icon from the app drawer, silencing audio and vibration, and keeping the device screen awake indefinitely. Zimperium has compiled a GitHub repository detailing all 137 commands available to Rokarolla, which include:
- Stealing SMS messages
- Extracting contact information and WhatsApp contacts
- Capturing keystrokes
- Recording on-screen content via UI logging
- Copying and manipulating clipboard contents
- Blocking incoming calls and bank fraud alerts
- Periodically taking screenshots and uploading them with timestamps
The combination of these capabilities grants Rokarolla operators near-total administrative control over an infected Android device, facilitating sophisticated financial fraud.
Importantly, Zimperium has confirmed that this malware has not been found on Google Play, the official repository for Android applications. Users are strongly advised to refrain from downloading APK files from outside Google Play unless they have explicit trust in the publisher. Additionally, caution should be exercised when granting Accessibility permissions, as these can be exploited to bypass standard Android security measures and gain elevated access to user interfaces or system prompts—actions frequently targeted by Android malware.
