New Rokarolla Android Trojan Found Targeting 217 Crypto and Banking Apps

Summary

A new Android banking trojan named Rokarolla has been discovered by Zimperium researchers. This malware is capable of hijacking clipboards, blocking bank calls, and taking complete control of infected devices. It targets 217 cryptocurrency and banking applications by using fake screen overlays and requesting Accessibility Services permissions.

Full text

Security Android MalwareNew Rokarolla Android Trojan Found Targeting 217 Crypto and Banking Apps Zimperium researchers discover a new mobile Trojan that hijacks clipboards, blocks bank calls, and takes complete control of Android devices. byDeeba AhmedJune 16, 20263 minute read The zLabs research team at mobile security firm Zimperium has identified a new Android banking trojan named Rokarolla. This highly invasive malware is named after its command-and-control infrastructure (the server network that threat actors use to send instructions to infected phones). According to zLabs researchers, this trojan is unusual in that it combines financial fraud with total device surveillance and can target 217 different cryptocurrency and banking programs. Attack chain explained The attack chain begins when a user visits a malicious website like infocontablidades.it.com. These pages actually contain the malware, hidden inside files that look like popular programs such as TikTok or Google Chrome. When a victim downloads this file, a secondary dropper (secondary malware) runs first, disguised as a Google Play Protect security tool. It is this dropper that tricks the user into installing the final malicious payload. Once installed, the malware asks for permission to use Android Accessibility Services. Then, it takes over these services to monitor the phone screen and track coordinates without user intervention. It requests to become the phone’s default SMS handler and default Call handler for uninterrupted data interception. Further investigation revealed that Rokarolla uses fake screen overlays. When a victim opens an authentic financial application, it queries the server’s endpoint to fetch fake HTML-based phishing pages. It then displays these fake login screens right on top of the legitimate apps. It even puts a fake PIN prompt over the phone’s regular lock screen to steal passwords. Malware requesting Accessibility Services, impersonating as genuine apps (Source: Zimperium) Complete Device Control Researchers noted that the malware has 137 commands available to control the phone, and it uses specific background code terms, such as and , to trigger these actions. Through an automated keylogger and UI logger, the malware can read text messages, steal WhatsApp lists, track keystrokes, and take screenshots. Using a snapshot-based surveillance mechanism called Pseudo-VNC, it monitors screens secretly. Also, it performs clipboard hijacking to modify text copied by the user, switching cryptocurrency wallet addresses during transfers without the victim noticing To keep the attack hidden, Rokarolla stops incoming phone calls using commands like and mutes all sounds. This step stops victims from hearing warning alerts or receiving fraud prevention calls from their banks. It also actively disables real Google Play Protect security scans and forces the device screen to stay on permanently so its background actions are never cut off. The research shows the changing trends in mobile threats as cybercriminals don’t focus entirely on data theft and aim for full device takeover. This is a worrying trend because controlling a phone’s audio/text messages makes security features like multi-factor authentication completely useless. Fake overlay process (Source: Zimperium) Commenting on this, Randolph Barr, Chief Information Security Officer at Cequence Security, a San Francisco, Calif.-based API security and bot management provider, stated that: “The threat landscape continues to surge, in particular, the mobile threat landscape. Back in 2024 alone, more than 4 million social engineering attacks targeted mobile devices, over 33 million mobile malware/adware incidents were blocked, and phishing attacks rose significantly. Android continues to face banking trojans and data-leaking SDKs, while insecure app practices plague both Android and iOS platforms. Most of these attacks are aimed at PII, credentials, and financial data.” “Employers and service providers add a third risk layer. Each validation request is a new integration point, creating an additional attack surface. Bad actors could compromise employer systems, abuse verification APIs, or phish organizations into over-collecting and mishandling sensitive data. Since employers often lack the same level of cybersecurity maturity as, say, government systems, they may become the weakest link in the chain,” he warned. Nevertheless, the best protection against these threats is avoiding third-party links or pop-up ads for downloading files, denying accessibility service requests from unverified apps, and closely monitoring unusual screen behaviour like a device refusing to turn off. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts AndroidBankingCryptoCyber AttackCybersecurityMalwareRokarollaScamTROJANZimperium Leave a Reply Cancel reply View Comments (0) Related Posts Security Cyber Security Risks That You Should Be Careful Of While Streaming With the increased entertainment content from the thousands of streaming apps, cybercriminals have found greener pastures. They are… byOwais Sultan Read More Security Data Breaches Leaks Privacy Global Fashion Label SABO’s 3.5M Customer Records Exposed Online Global fashion brand SABO suffers data breach, exposing 3.5+ million customer records including names, addresses, and order details. Learn about the risks and what to do. byDeeba Ahmed Security Firefox Monitor tool informs users if they have been hacked The Firefox Monitor will be launched next week – The tool aims at alerting users if their email has… byCarolina Hacking News Security Hacker Shows How to Hack Any Facebook Page; Earns $16k as Bug Bounty Everyone wants to know how to hack a Facebook page or an account but no one wants to… byWaqas

Indicators of Compromise

• domain — infocontablidades.it.com

Entities