A brand new Android banking Trojan named Rokarolla targets 217 banking and cryptocurrency functions utilizing an in depth set of 137 instructions.
The malware is distributed by way of malicious web sites claiming to supply Google Chrome or TikTok apps and might achieve full administrative management of compromised units.
Its capabilities embrace stealing lock display credentials, contact lists, SMS information, and constantly recording consumer enter utilizing keyloggers.
Throughout the set up course of, the malicious app acts as a dropper, impersonating Google Play Defend, Android’s built-in anti-malware system, and providing customers the choice to put in Chrome or TikTok with the Rokarolla malware.
When launched on a tool, Rokarolla requests permission for accessibility providers, in addition to entry to notifications, SMS, and calls, researchers at cellular safety agency Zimperium revealed in a report right this moment.
Supply: Zimperium
Communication with the command and management (C2) server begins by sending a primary system profile, together with particulars such because the telephone mannequin, put in Android model, locale, show traits, battery degree, storage capability, and out there RAM.
In response to Zimperium, this data is used to generate a novel identifier for every sufferer of the Rokarolla marketing campaign.
In response to Zimperium, the principle objective of the malware seems to be monetary data theft. It accomplishes this by checking the contaminated system towards an inventory of 217 goal functions and downloading the phishing payload comparable to the matching functions.
When a sufferer opens a listed app, Rokarolla shows a pretend login overlay and steals login credentials, bank card data, and different monetary information.
Supply: Zimperium
Nevertheless, the usage of overlays goes past information theft. The malware makes use of this methodology to seize the lock display PIN/sample and take management of the system even when the system is locked.
Moreover, overlays are used to cover malware exercise and block consumer interplay by displaying pretend set up screens if mandatory.
Supply: Zimperium
Extra evasion techniques embrace disabling Google Play Defend, hiding utility icons from the app drawer, muting sounds and vibrations, and leaving the display awake indefinitely.
Zimperium has created a GitHub repository containing all 137 instructions out there in Rokarolla. Information theft instructions embrace:
- steal SMS messages
- Extract contact data and WhatsApp contacts
- seize keystrokes
- Report on-screen content material by way of UI logs
- Copy and manipulate clipboard contents
- Block incoming calls and financial institution fraud alerts
- Take screenshots often and add them with timestamps
Mixed, these capabilities give Rokarolla operators close to full administrative management over contaminated Android units, permitting them to carry out subtle monetary fraud.
Zimperium didn’t discover any malware on Google Play, the official repository for Android apps. We suggest that customers don’t obtain APK recordsdata exterior of Google Play until they explicitly belief the writer.
Moreover, customers ought to be cautious when granting accessibility permissions. It’s because it may be exploited to bypass commonplace Android safety protections and achieve superior performance similar to manipulating the consumer interface or approving system prompts. That is an motion continuously requested by Android malware.
Safety groups doc 54% of profitable assaults and challenge a warning on solely 14%. The remainder strikes invisibly by way of the surroundings.
Picus’ whitepaper exhibits take a look at your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
