- Zimperium finds new Android banking trojan “Rokarolla” targeting 217 banking/crypto apps
- Distributed via spoofed sites, third‑party stores, and social media; dropper masquerades as Google Play Protect
- Steals credentials via invisible overlays, hides itself, and adds extra spying features like keystroke logging, call blocking, and screen recording
Security researchers Zimperium discovered Rokarolla, a powerful Android banking trojan capable of stealing login credentials and other valuable information from more than 200 banking and crypto applications.
Rokarolla is being distributed through standalone (spoofed) websites, third-party app stores, and social media. It was not found on the Google Play Store or other official Android repositories.
These malicious websites are advertising Google Chrome and TikTok apps, but when users download them, they first get a dropper that pretends to be Android’s built-in anti-malware solution Google Play Protect. This dropper then offers Chrome and TikTok, laden with malware.
How to spot Rokarolla
Upon installation, Rokarolla will do what most banking trojans do – ask for extensive permissions, including the Accessibility service permissions which are the usual malware red flag.
Other permissions that should be cause for concern include access to SMS and calls, as well as access to notifications.
If the victims grant all these permissions, Rokarolla will first profile the device and scan it for one of 217 banking and crypto apps.
After that, whenever the user brings up one of those apps, Rokarolla will display an invisible overlay to capture the login credentials, as well as PIN codes and unlock patterns. The trojan has numerous tricks up its sleeve to avoid scrutiny and remain hidden, including displaying fake installation screens, hiding the application icon from the app drawer, silencing audio and vibrations, and keeping the screen awake.
It can also extract contact information and WhatsApp contacts, grab keystrokes, record the screen, block incoming calls, and send screenshots.
Usually, banking trojans like Rokarolla target specific geographies and languages. Zimperium did not say which parts of the world were most at risk, or how many people were possibly infected. Those who only download apps from official repositories such as the Google Play Store or Galaxy Store are not at risk.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/eVgzzXmQMEyvzfYvAaAMrX-1919-80.jpg
Source link
