- Zimperium Finds New Android Banking Trojan “Rokarolla” Targeting 217 Banking/Crypto Apps
- Distributed through fake sites, third-party stores and social networks; The dropper pretends to be Google Play Protect
- It steals credentials through invisible overlays, hides itself, and adds additional spying features like keystroke logging, call blocking, and screen recording.
Zimperium security researchers discovered Rokarolla, a powerful Android banking Trojan capable of stealing login credentials and other valuable information from over 200 banking and crypto apps.
Rokarolla is distributed through independent (fake) websites, third-party app stores and social networks. It was not found in the Google Play Store or other official Android repositories.
These malicious websites advertise Google Chrome and TikTok apps, but when users download them, they first receive a dropper claiming to be Android’s built-in anti-malware solution, Google Play Protect. This dropper then offers Chrome and TikTok, loaded with malware.
How to spot Rokarolla
Upon installation, Rokarolla will do what most banking Trojans do: request extensive permissions, including accessibility service permissions, which are the usual red flag for malware.
Other permissions that should be of concern include access to SMS and calls, as well as access to notifications.
If victims grant all of these permissions, Rokarolla will first profile the device and scan it for one of 217 banking and crypto apps.
After that, whenever the user opens one of those apps, Rokarolla will display an invisible overlay to capture login credentials, as well as PIN codes and unlock patterns. The Trojan has numerous tricks up its sleeve to avoid scrutiny and remain hidden, including displaying fake installation screens, hiding the app icon from the app drawer, muting audio and vibrations, and keeping the screen awake.
You can also extract contact information and contacts from WhatsApp, capture keystrokes, record screen, block incoming calls, and send screenshots.
Typically, banking Trojans like Rokarolla target specific geographies and languages. Zimperium did not say which parts of the world were most at risk or how many people were possibly infected. Those who only download applications from official repositories such as Google Play Store or Galaxy Store are not at risk.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
