The research arm of mobile cybersecurity firm Zimperium, zLabs, has discovered a new and particularly dangerous Android banking trojan in the wild. Named Rokarolla, it masquerades as popular applications such as TikTok and Google Chrome. It is specifically designed to target and compromise 217 distinct cryptocurrency and banking applications.
zLabs found Rokarolla targeting 217 banking and cryptocurrency apps through a toolkit of 137 commands. To facilitate undetected financial fraud, Rokarolla employs a sophisticated suite of 137 commands that grant it extensive administrative control over an infected device.
Its malicious capabilities include harvesting lock screen credentials, exfiltrating sensitive contact lists and SMS data, and utilizing keyloggers to continuously record user input. The trojan also actively conceals its operations and disrupts user intervention by blocking incoming calls, deploying fraudulent screen overlays, suppressing device audio, and deactivating Google Play Protect.
Rokarolla can control locked devices
According to zLabs, Rokarolla enables threat actors to control locked devices. The malware can harvest the device’s unlock credentials, including PINs, patterns, and passwords, enabling attackers to gain unauthorized access to the device. It accomplishes this by deploying a fraudulent overlay designed to closely mimic the legitimate Android lock screen interface. Any credentials entered by the user are captured by this deceptive UI and subsequently exfiltrated for further exploitation. This information allows the malicious actor to execute commands even if a device is locked.
Rokarolla represents a step change in cyber-attacks via smartphones. By covertly hacking a device, a threat actor can gain unprecedented access to the individual’s personal finances. But there is also a more sinister aspect to Rokarolla. Not only do high net worth individuals frequently conduct their affairs on their smartphone, but so do many executives and key company employees. This gives threat actors an easy potential entry point into corporate systems, where they can steal crucial information and client details and install ransomware.
Threat actors working on behalf of potentially hostile nation states such as Russia, China and Iran can also use Rokarolla for purposes of international espionage. By sitting unseen on senior politicians’ devices they can potentially harvest vast amounts of privileged and even secret information.
In order to counter the threat, private and public organizations must try and monitor behavioural changes on their staff’s smartphones and start to move away from the bring-your-own-devices-to-work (BYOD) practices that make such activity hard to monitor.