Hundreds of Android banking and crypto apps hit by dangerous new Rokarolla malware

Zimperium finds new Android banking trojan “Rokarolla” targeting 217 banking/crypto apps

Distributed via spoofed sites, third‑party stores, and social media; dropper masquerades as Google Play Protect

Steals credentials via invisible overlays, hides itself, and adds extra spying features like keystroke logging, call blocking, and screen recording

Security researchers Zimperium discovered Rokarolla, a powerful Android banking trojan capable of stealing login credentials and other valuable information from more than 200 banking and crypto applications.

Rokarolla is being distributed through standalone (spoofed) websites, third-party app stores, and social media. It was not found on the Google Play Store or other official Android repositories.

These malicious websites are advertising Google Chrome and TikTok apps, but when users download them, they first get a dropper that pretends to be Android’s built-in anti-malware solution Google Play Protect. This dropper then offers Chrome and TikTok, laden with malware.

How to spot Rokarolla

Upon installation, Rokarolla will do what most banking trojans do - ask for extensive permissions, including the Accessibility service permissions which are the usual malware red flag.

Other permissions that should be cause for concern include access to SMS and calls, as well as access to notifications.

If the victims grant all these permissions, Rokarolla will first profile the device and scan it for one of 217 banking and crypto apps.

After that, whenever the user brings up one of those apps, Rokarolla will display an invisible overlay to capture the login credentials, as well as PIN codes and unlock patterns. The trojan has numerous tricks up its sleeve to avoid scrutiny and remain hidden, including displaying fake installation screens, hiding the application icon from the app drawer, silencing audio and vibrations, and keeping the screen awake.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

It can also extract contact information and WhatsApp contacts, grab keystrokes, record the screen, block incoming calls, and send screenshots.

Usually, banking trojans like Rokarolla target specific geographies and languages. Zimperium did not say which parts of the world were most at risk, or how many people were possibly infected. Those who only download apps from official repositories such as the Google Play Store or Galaxy Store are not at risk.

Via BleepingComputer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.