A new Android banking trojan named Rokarolla is targeting 217 banking and cryptocurrency applications using an extensive set of 137 commands.
The malware is distributed via malicious websites purporting to provide the Google Chrome or TikTok app, and can take complete administrative control of a compromised device.
Its capabilities include stealing lock screen credentials, contact lists, and SMS data, as well as using keyloggers to continuously record user input.
During the installation process, the malicious app acts as a dropper and impersonates Google Play Protect, Android’s built-in anti-malware system, offering users the option to install Chrome or TikTok, which include the Rokarolla malware.
When launched on the device, Rokarolla requests Accessibility service permissions, as well as access to notifications, SMS, and calls, researchers at mobile security company Zimperium reveal in a report today.
The installation process
Source: Zimperium
Communication with the command-and-control (C2) server begins with sending a basic device profile containing details such as the phone model, installed Android version, locale, display characteristics, battery level, storage capacity, and available RAM.
According to Zimperium, this information is used to generate a unique identifier for each victim in the Rokarolla campaign.
Zimperium says the malware’s primary objective appears to be the theft of financial information. To achieve this, it checks the infected device against a list of 217 targeted applications and then downloads the phishing payload corresponding to any matching apps.
When the victim opens an app on the list, Rokarolla displays a fake login overlay to steal login credentials, credit card information, and other financial data.
Financial data theft process
Source: Zimperium
The use of overlays extends beyond data theft, though. The malware also relies on this method to capture the lock-screen PIN/pattern and operate the device even when it is locked.
Additionally, overlays are used to hide the malware activity and block user interaction by displaying fake installation screens when needed.
PIN overlay (left) and fake installation overlay (right)
Source: Zimperium
Additional evasion tactics include disabling Google Play Protect, hiding the application icon from the app drawer, silencing audio and vibration, and keeping the screen awake indefinitely.
Zimperium created a GitHub repository with all 137 commands available to Rokarolla. Some of the data-theft commands include:
- Steal SMS messages
- Extract contact information and WhatsApp contacts
- Capture keystrokes
- Record on-screen content via UI logging
- Copy and manipulate the clipboard contents
- Block incoming calls and bank fraud alerts
- Periodically take screenshots and upload them with timestamps
The combination of these capabilities gives Rokarolla operators near-complete administrative control over an infected Android device, enabling them to commit advanced financial fraud.
Zimperium did not find the malware on Google Play, the official repository for Android apps. Users are recommended to avoid downloading APK files outside Google Play unless they explicitly trust the publisher.
Furthermore, users should exercise caution when granting Accessibility permissions, as they can be abused to bypass standard Android security protections and obtain elevated capabilities to interact with the user interface or approve system prompts, actions frequently sought by Android malware.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
