A new Android banking trojan, dubbed Rokarolla, has been discovered by security researchers at Zimperium. The malware targets 217 banking and cryptocurrency applications and can execute 137 commands on infected devices, giving attackers near-total control over compromised phones.

Rokarolla is primarily distributed through malicious websites that impersonate popular applications such as TikTok and Google Chrome, fooling users into downloading what appears to be a legitimate app. The malware uses phishing overlays to steal financial data from victims, including lock-screen PINs, SMS codes, and cryptocurrency wallet funds.

What Happened

Rokarolla is designed to steal financial information while giving attackers broad control over compromised devices. It can harvest lock-screen credentials, exfiltrate sensitive contact lists and SMS data, and utilize keyloggers to continuously record user input. The malware also actively conceals its operations and disrupts user intervention by blocking incoming calls, deploying fraudulent screen overlays, suppressing device audio, and deactivating Google Play Protect.

The attack begins with a dropper that poses as Google Play Protect, which uses this masquerade to install the main payload and obtain Accessibility access. Once running, one of the trojan's first commands turns off Play Protect, removing the primary automated defense most Android users rely on.

Background and Context

Rokarolla is distributed through rogue websites that offer fake versions of popular apps like TikTok or Chrome. These malicious sites push users to download the app directly, a process known as sideloading. After installation, the fake app poses as Google Play Protect and quietly downloads and installs the malware that carries out the attack.

The malware then requests access to Android Accessibility Services, along with permissions for notifications and SMS messages. Rokarolla uses phishing overlays to steal financial data from victims, including lock-screen PINs, SMS codes, and cryptocurrency wallet funds.

Why it Matters to the Industry

Rokarolla's capabilities pose a significant threat to adult-industry platforms and operators. The malware can intercept one-time passwords (OTPs) and two-factor authentication (2FA) codes, which are commonly used for age-gating and moderation purposes. Rokarolla can also record everything typed and seen on the screen, including sensitive information such as credit card numbers and login credentials.

The malware's ability to take control of text messages and phone calls allows it to block security alerts and hide signs of fraud. This could lead to a significant increase in financial losses for adult-industry platforms and operators, who rely heavily on secure payment processing and age-gating mechanisms.

What Comes Next

To avoid banking Trojans like Rokarolla, there are several guidelines that can be followed. Firstly, users should never trust apps that claim to be Google Play Protect or another system component. They should also use up-to-date, real-time anti-malware protection with web protection on their devices.

Additionally, users should avoid sideloading apps that are available on the Google Play Store. While malware can sometimes slip into official stores, the risk is much greater elsewhere. Finally, users should deny powerful permissions to apps downloaded from unknown sources.

Key Facts

  • Rokarolla targets 217 banking and cryptocurrency applications.
  • The malware can execute 137 commands on infected devices.
  • Rokarolla uses phishing overlays to steal financial data from victims.
  • The malware can intercept one-time passwords (OTPs) and two-factor authentication (2FA) codes.
  • Rokarolla can take control of text messages and phone calls, allowing it to block security alerts and hide signs of fraud.