- Zimperium discovers new Android banking Trojan “Rokarolla” targeting 217 banking/crypto apps.
- Distributed through fraudulent sites, third-party stores and social networks; the dropper impersonates Google Play Protect
- Steals credentials via invisible overlays, hides and adds additional spying features like keylogging, call blocking and screen recording.
Zimperium security researchers have discovered Rokarolla, a powerful Android banking Trojan capable of stealing login credentials and other valuable information from over 200 banking and crypto apps.
Rokarolla is distributed through standalone (spoofed) websites, third-party app stores and social networks. It was not found on the Google Play Store or other official Android repositories.
These malicious websites advertise Google Chrome and TikTok apps, but when users download them, they first receive a dropper that claims to be Android’s built-in anti-malware solution, Google Play Protect. This dropper then offers Chrome and TikTok, riddled with malware.
How to spot Rokarolla
Upon installation, Rokarolla will do what most banking Trojans do: ask for extended permissions, including the Accessibility Service permissions that are the usual red flag for malware.
Other permissions that should be of concern include access to text messages and calls, as well as access to notifications.
If victims grant all these permissions, Rokarolla will first profile the device and scan it for any of 217 banking and crypto apps.
After that, whenever the user opens one of these apps, Rokarolla will display an invisible overlay to capture login information, along with PINs and unlock patterns. The Trojan has many tricks up its sleeve to avoid scrutiny and remain hidden, including displaying fake installation screens, hiding the app icon in the app drawer, muting sound and vibration, and keeping the screen awake.
It can also extract contact information and WhatsApp contacts, enter keystrokes, record screen, block incoming calls and send screenshots.
Usually, banking Trojans like Rokarolla target specific geographies and languages. Zimperium did not specify which regions of the world were most at risk, or how many people could be infected. Those who only download apps from official repositories such as the Google Play Store or Galaxy Store are not at risk.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
