Yet another Android banking Trojan is making the rounds, one that demonstrates an evolution in the typical malware of its kind by combining banking fraud capabilities with extensive device surveillance, remote control, and persistence mechanisms.

Researchers at Zimperium zLabs have discovered the malware, dubbed Rokarolla because of the name of its command-and-control (C2) infrastructure, being distributed through malicious websites, including hxxps[://]infocontablidades[.]it[.]com/, according to a report published today. The malware masquerades as legitimate applications such as Google Chrome and TikTok on these sites to fool mobile device users into downloading what they think is a legitimate app.

Like typical banking Trojans, the malware can compromise cryptocurrency and banking applications to steal credentials; in this case, it affects 217 distinct apps, according to the report. However, Rokarolla goes further than other malware of its kind in that it uses what researchers call “a sophisticated suite of 137 commands” to take administrative control over an infected device, Zimperium researchers Vishnu Pratapagiri and Fernando Ortega wrote in the report. 

Related:The Invisible Battlefield: How Cyberwar Is Reshaping Everyday Life

“Its malicious capabilities include harvesting lock screen credentials, exfiltrating sensitive contact lists and SMS data, and utilizing keyloggers to continuously record user input,” they wrote. The malware also makes the device virtually unusable by its owner, actively concealing its operations and disrupting user intervention by blocking incoming calls, deploying fraudulent screen overlays, suppressing device audio, and deactivating Google Play Protect, the researchers found.

Beyond Credential Theft

Banking Trojans are now a familiar malware in the Android device threat landscape, but Rokarolla demonstrates a new level of malicious activity by a banking Trojan, which typically tends to settle for compromising financial and banking apps and stealing their credentials or otherwise using them for the attacker’s financial gain. While some malware of this type in the past has allowed attackers to take over devices, the takeover has rarely been so dramatic or to the extent that Rokarolla provides, according to experts.

In this case, Rokarolla not only steals Android users’ credentials to all their significant financial accounts, it also effectively isolates the victim, notes Jason Soroko, senior fellow at Sectigo, a provider of certificate life-cycle management (CLM). 

“The Rokarolla Trojan shifts focus from credential theft to victim isolation,” he tells Dark Reading via email. “Developers have combined screen overlays and access tools before, but this software surprises analysts by creating an information vacuum. The application blocks calls and intercepts texts to prevent banks from alerting users about fraud.”

Related:Attackers Use AI to Automate EDR Evasion Testing

This strategy, which “represents an evolution in threats,” traps the user in an environment in which they still have their phone, but it’s out of their control, with the attacker dictating what information enters or leaves the device, Soroko says. “Attackers understand passwords fail against network security protocols,” he explains. “Criminals must commandeer the smartphone hardware to execute transactions. This methodology will expand as institutions improve defenses.”

Strategic Use of an Overlay

Rokarolla is able to achieve full device takeover by deploying a fraudulent overlay designed to closely mimic the legitimate Android lock screen interface, which allows malicious actors to execute commands even when the device is locked, the Zimperium researchers said. 

“Any credentials entered by the user are captured by this deceptive UI and subsequently exfiltrated to attacker-controlled infrastructure for further exploitation,” they wrote in the post.

Related:China’s Webworm Uses Discord, Microsoft Graphs to Hack EU Governments

This overlay is one of the final stages of an attack chain that begins with a dropper application that impersonates legitimate Android security components and installs a second-stage payload. The malware then abuses Accessibility Services and requests elevated permissions for SMS access, notifications, and device control.

Persistence and Evasion Tactics

Once active and effectively controlling the device, Rokarolla communicates with its C2 infrastructure over HTTPS, transmitting device telemetry and receiving instructions from operators. Attackers employ support for multiple fallback domains and dynamic C2 updates, improving the malware’s resilience against takedowns, the researchers noted.

Rokarolla also demonstrates strong stealth, evasion, and persistence techniques designed to avoid detection and prevent user-initiated removal. To reduce system defenses, it actively attempts to disable security protections by targeting Google Play Protect and employs multiple techniques to operate completely under the radar, according to Zimperium. 

In addition to hiding its icon from the device’s app drawer to avoid visual detection, the malware also mutes all device audio and vibrations, ensuring it operates in complete silence during fraudulent activities. “This audio suppression effectively masks critical cues, such as security alert notifications or incoming verification calls from banking institutions, significantly reducing the likelihood of the user noticing or interrupting the transaction process,” the researchers noted in the post.

Detecting and Avoiding Compromise

Given many organizations’ bring-your-own-device (BYOD) policies, mobile device threats are no longer just isolated events that affect the device user; they can spread to data held on corporate networks through compromise of mobile applications that are used at work or connected to the network.

To help defenders detect Rokarolla, Zimperium posted a list of indicators of compromise to a GitHub page (sign-in required). The researchers also included a complete list of MITRE Tactics and Techniques for the Rokarolla attack chain in Zimperium’s report. 

As a general rule, anyone using a mobile device — connected to a corporate network or otherwise —  should avoid downloading applications from any website or online source other than Google Play or a reputable mobile app store, and they should be suspicious of any sites that promise non-branded downloads of popular applications.

Organizations should treat Android devices as full-fledged, high-risk endpoints rather than secondary or less-critical access points, says Boris Cipot, principal security engineer at Black Duck, a provider of application security solutions. “This means deploying mobile threat defense solutions that can detect behavioral anomalies such as overlay abuse, accessibility service misuse, and suspicious command-and-control communication, rather than relying solely on signature-based detection,” he tells Dark Reading via email.

Another security measure they can take is to enforce strict policies that prevent sideloading and installation of apps from untrusted sources, as this remains a primary infection vector, Cipot says. Even as they secure mobile devices, however, organizations also should reduce their reliance on SMS-based authentication and instead adopt phishing-resistant multifactor authentication methods, he adds, “since malware like this is specifically designed to intercept OTPs [one-time passwords] and disrupt verification flows.”





Source link

#

Comments are closed