Security researchers have uncovered a new Android malware, named Rokarolla, that poses a significant threat to mobile banking and cryptocurrency applications. This advanced trojan, documented by Zimperium’s zLabs, targets 217 apps and executes 137 remote commands, granting near-total control over infected devices.
How Rokarolla Operates
Rokarolla infiltrates devices through malicious websites that imitate popular applications like TikTok and Chrome. Initially, users are tricked into downloading a dropper disguised as Google Play Protect. This dropper facilitates the installation of the malware’s payload and gains Accessibility access, which is critical for disabling security features such as Google Play Protect.
Upon activation, Rokarolla employs overlay attacks to deceive users. It fetches fake HTML login pages from its server, which are stored locally. When a user opens a legitimate banking or cryptocurrency app, the malware overlays a counterfeit page to capture sensitive information, including login credentials and card details.
Comprehensive Data Theft
Rokarolla employs sophisticated techniques to intercept a wide array of user data. It reads SMS messages and can send them, enabling the interception of one-time passcodes used for secure transactions. By setting itself as the default messaging app, it can block incoming calls, preventing users from receiving alerts from their banks.
The malware includes keylogging and screen logging capabilities, recording everything the user types and sees. It also alters the clipboard contents, replacing copied cryptocurrency wallet addresses with those controlled by the attackers, leading to misdirected transfers.
Cloaked Surveillance and Persistence
For surveillance, Rokarolla forgoes traditional methods like MediaProjection to avoid detection. Instead, it captures and compresses screenshots via Accessibility, sending them to its operators discreetly. This method is less conspicuous than live screen casting used by other malware.
Rokarolla’s resilience is bolstered by multiple fallback command-and-control (C2) domains, allowing it to remain operational even if some servers are disabled. Its extensive command set surpasses that of previous malware like the HOOK trojan, underscoring its threat level.
Defensive Measures and Future Outlook
Currently, there is no specific patch to mitigate Rokarolla, as it exploits user behavior rather than software vulnerabilities. Users are advised to install apps solely from trusted sources like Google Play, keep Play Protect active, and scrutinize any request for Accessibility permissions.
Zimperium’s products can detect Rokarolla, and indicators of compromise are available in their GitHub repository. While the malware’s origins remain unidentified, its design clearly aims to bypass standard security measures, highlighting the need for vigilance and robust mobile security practices.
