Skip to content

Rokarolla Android Malware Targets 217 Banking and Crypto Apps with Extensive Set of Commands

A new Android banking trojan named Rokarolla has been discovered targeting 217 banking and cryptocurrency applications. The malware uses an extensive set of 137 commands to steal sensitive information from infected devices.

Distribution and Installation Process

The malware is distributed through fake websites that offer the Google Chrome or TikTok app for download. During the installation process, the malicious app acts as a dropper and impersonates Google Play Protect, Android’s built-in anti-malware system. The user is then presented with an option to install Chrome or TikTok, which include the Rokarolla malware.

Capabilities and Evasion Tactics

Rokarolla has an extensive set of capabilities that enable it to steal sensitive information from infected devices. It can steal lock screen credentials, contact lists, and SMS data, as well as use keyloggers to continuously record user input. The malware also relies on overlays to capture the lock-screen PIN/pattern and operate the device even when it is locked.

In addition to data theft, Rokarolla uses overlays to hide its activity and block user interaction by displaying fake installation screens when needed. It also employs evasion tactics such as disabling Google Play Protect, hiding the application icon from the app drawer, silencing audio and vibration, and keeping the screen awake indefinitely.

Communication with Command-and-Control Server

When launched on the device, Rokarolla requests Accessibility service permissions, as well as access to notifications, SMS, and calls. It then communicates with the command-and-control (C2) server by sending a basic device profile containing details such as the phone model, installed Android version, locale, display characteristics, battery level, storage capacity, and available RAM.

Primary Objective and Data-Theft Commands

The primary objective of Rokarolla appears to be the theft of financial information. To achieve this, it checks the infected device against a list of 217 targeted applications and then downloads the phishing payload corresponding to any matching apps. When the victim opens an app on the list, Rokarolla displays a fake login overlay to steal login credentials, credit card information, and other financial data.

Zimperium has made available a GitHub repository with all 137 commands available to Rokarolla. Some of the data-theft commands include extracting contact information and WhatsApp contacts, copying and manipulating the clipboard contents, blocking incoming calls and bank fraud alerts, and periodically taking screenshots and uploading them with timestamps.

Conclusion

Rokarolla is a highly sophisticated Android malware that targets 217 banking and cryptocurrency applications. Its extensive set of capabilities and evasion tactics make it a significant threat to users who download APK files outside the official Google Play repository. Users are advised to exercise caution when granting Accessibility permissions, as they can be abused by Android malware.

**Recommendations:**

* Be cautious when downloading apps from unknown sources.

* Avoid granting Accessibility permissions unless necessary.

* Keep your device and apps up-to-date with the latest security patches.

* Use a reputable antivirus app to scan your device for malware.

**Tags:** Rokarolla, Android malware, banking trojan, cryptocurrency apps, data theft, command-and-control server, evasion tactics, Accessibility permissions

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *