[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwV492Pcx93sJUUDxvCRoOVUlIJuAmoF66jYTGDp2-_I":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":22,"created_at":23,"published_at":24,"article":25,"tags":28},"6236c509-9e2b-428f-bafc-cf26191ee45b","rokarolla-android-trojan-targets-200-banking-crypto-apps","165d6abb-a170-4798-856f-559507300202","Rokarolla Android Trojan Targets 200+ Banking & Crypto Apps","The Rokarolla banking trojan exploits users' tendency to download apps from unofficial sources, bypassing the security vetting of official app stores like Google Play. Once installed, it abuses Android's permission model by requesting excessive privileges — including lockscreen credentials and accessibility services — that enable full device compromise. The malware's ability to disable Google Play Protect and hide its own icon demonstrates how attackers actively undermine built-in defenses to maintain persistence. This matters because it silently exfiltrates banking credentials, SMS (including OTPs), clipboard content, and contact data from over 200 financial applications, enabling large-scale financial fraud with minimal user awareness.","**Immediate actions:**\n- Only install applications from official app stores (Google Play, Apple App Store) and verify publisher authenticity before downloading.\n- Review and revoke excessive app permissions (especially Accessibility Services, SMS, and screen overlay permissions) on all personal and corporate devices.\n- Enable and ensure Google Play Protect remains active and cannot be disabled by untrusted applications.\n\n**Long-term improvements:**\n- Deploy a Mobile Device Management (MDM) or Mobile Threat Defense (MTD) solution to enforce application allowlisting and detect anomalous behavior on employee devices.\n- Implement a mobile security policy that restricts sideloading of APKs and enforces regular OS and security patch updates.\n- Conduct regular security awareness training focused on mobile phishing, fake app distribution sites, and social engineering tactics.\n\n**Detection measures:**\n- Monitor for anomalous SMS exfiltration, unusual clipboard access, or screen capture activity using endpoint detection tools on managed devices.\n- Establish alerts for unauthorized disabling of security features such as Google Play Protect or device administrator settings.\n- Require multi-factor authentication (MFA) for all banking and cryptocurrency applications that does not rely solely on SMS-based OTPs.",[12,13,14,15,16,17,18,19,20,21],"CIS Control 2: Inventory and Control of Software Assets","CIS Control 4: Secure Configuration of Enterprise Assets","CIS Control 14: Security Awareness and Skills Training","NIST SP 800-124: Guidelines for Managing the Security of Mobile Devices","NIST AC-6: Least Privilege","NIST SI-3: Malicious Code Protection","NIST PR.AT-1: Security Awareness Training","GDPR Article 32: Security of Processing (protecting personal data from unauthorized access)","OWASP Mobile Top 10 - M1: Improper Platform Usage","OWASP Mobile Top 10 - M6: Insecure Authorization","published","2026-06-18T12:21:06.687458+00:00","2026-06-18T12:21:06.088+00:00",{"id":7,"url":26,"title":27},"https:\u002F\u002Fwww.securityweek.com\u002Frokarolla-banking-trojan-targets-200-applications\u002F","Rokarolla Banking Trojan Targets 200 Applications",[29,35,41],{"id":30,"name":31,"slug":32,"description":33,"color":34},"1ec88fde-2d0f-4ed8-932a-33f5ccc0fdc7","Access Control","access-control","Excessive privileges, missing MFA, weak auth","#f97316",{"id":36,"name":37,"slug":38,"description":39,"color":40},"7261eb8f-acd4-4d93-a489-7fdd652ec0ea","Security Awareness","security-awareness","Phishing, social engineering, human error","#22c55e",{"id":42,"name":43,"slug":44,"description":45,"color":46},"c8b843a5-d5a7-41d1-8d3b-cabded09d2ef","Data Protection","data-protection","Unencrypted data, missing DLP, poor classification","#3b82f6"]