- Zimperium Finds New Android Banking Trojan “Rokarolla” Targets 217 Banking/Crypto Apps
- Distributed via counterfeit websites, third-party stores and social media; dropper masquerades as Google Play Protect
- Steals credentials via invisible overlays, hides itself and adds extra spying features like keystroke logging, call blocking and screen recording
Security researchers Zimperium discovered Rokarolla, a powerful Android banking Trojan capable of stealing login credentials and other valuable information from more than 200 banking and crypto applications.
Rokarolla is distributed through standalone (spoofed) websites, third-party app stores and social media. It was not found in the Google Play Store or other official Android repositories.
These malicious websites advertise Google Chrome and TikTok apps, but when users download them, they first get a dropper pretending to be Android’s built-in anti-malware solution Google Play Protect. This dropper then offers Chrome and TikTok, loaded with malware.
How to spot Rokarolla
After installation, Rokarolla will do what most banking trojans do – ask for extensive permissions, including the Accessibility service permissions, which is the usual malware red flag.
Other permissions that should cause concern include access to SMS and calls, and access to notifications.
If victims grant all these permissions, Rokarolla will first profile the device and scan it for one of 217 banking and crypto apps.
Then, when the user downloads one of these apps, Rokarolla will display an invisible overlay to capture the login credentials as well as PINs and unlock patterns. The Trojan has several tricks up its sleeve to avoid scrutiny and stay hidden, including showing fake installation screens, hiding the application icon from the app drawer, muting sound and vibration, and keeping the screen awake.
It can also extract contact information and WhatsApp contacts, grab keystrokes, record the screen, block incoming calls and send screenshots.
Usually, banking Trojans like Rokarolla target specific geographies and languages. Zimperium did not say which parts of the world were most at risk or how many people may have been infected. Those who only download apps from official repositories such as Google Play Store or Galaxy Store are not at risk.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
