Mobile security firm Zimperium is warning Android users about Rokarolla, a new banking trojan capable of targeting more than 200 cryptocurrency and bank applications.
The malware has been distributed via malicious websites that serve it disguised as popular apps such as Chrome and TikTok. These applications deliver the main payload by impersonating Google Play Protect.
Once it has infected a device, Rokarolla requests a wide range of permissions and can even collect an Android phone’s lockscreen credentials (PIN, pattern, or password), enabling device takeover and the theft of sensitive data even when the phone is locked.
According to Zimperium, the trojan can steal data from 217 banking and cryptocurrency applications, leveraging screen overlays to phish credentials for these apps.
The malware can also harvest WhatsApp contact information by abusing Accessibility Services to capture the active screen’s structure. It can also exfiltrate SMS messages and hijack calls.
Rokarolla also includes keylogger capabilities that enable it to capture everything the victim types. It can also manipulate the clipboard to replace the user’s cryptocurrency addresses with ones controlled by the attacker.
In addition, Zimperium noted, “The malware systematically captures screenshots of the victim’s device, compresses them into PNG format, and exfiltrates the image data alongside a precise timestamp.”
The malware uses various methods to evade detection, including disabling Google Play Protect.
“It initially hides its application icon from the device’s app drawer to avoid visual detection,” Zimperium explained. “Complementing this visual evasion, the malware is capable of muting all device audio and vibrations, ensuring it operates in complete silence during fraudulent activities. This audio suppression effectively masks critical cues, such as security alert notifications or incoming verification calls from banking institutions, significantly reducing the likelihood of the user noticing or interrupting the transaction process.”
Related: Microsoft Teams Relay Servers Abused in DragonForce Ransomware Attack
Related: Atomic Arch Supply Chain Attack Hits 1,500 AUR Packages
Related: OnyxC2 Stealer Offers Cybercriminals Enterprise-Grade Theft for $250 a Month
