GoKawiilYet another Android banking Trojan is making the rounds, one that demonstrates an evolution in the typical malware of its kind by combining banking fraud capabilities with extensive device surveillance, remote control, and persistence mechanisms.
Researchers at Zimperium zLabs have discovered the malware, dubbed Rokarolla because of the name of its command-and-control (C2) infrastructure, being distributed through malicious websites, including hxxps[://]infocontablidades[.]it[.]com/, according to a report published today. The malware masquerades as legitimate applications such as Google Chrome and TikTok on these sites to fool mobile device users into downloading what they think is a legitimate app.
Like typical banking Trojans, the malware can compromise cryptocurrency and banking applications to steal credentials; in this case, it affects 217 distinct apps, according to the report. However, Rokarolla goes further than other malware of its kind in that it uses what researchers call "a sophisticated suite of 137 commands" to take administrative control over an infected device, Zimperium researchers Vishnu Pratapagiri and Fernando Ortega wrote in the report.
Related:The Invisible Battlefield: How Cyberwar Is Reshaping Everyday Life
"Its malicious capabilities include harvesting lock screen credentials, exfiltrating sensitive contact lists and SMS data, and utilizing keyloggers to continuously record user input," they wrote. The malware also makes the device virtually unusable by its owner, actively concealing its operations and disrupting user intervention by blocking incoming calls, deploying fraudulent screen overlays, suppressing device audio, and deactivating Google Play Protect, the researchers found.
Beyond Credential Theft
Banking Trojans are now a familiar malware in the Android device threat landscape, but Rokarolla demonstrates a new level of malicious activity by a banking Trojan, which typically tends to settle for compromising financial and banking apps and stealing their credentials or otherwise using them for the attacker's financial gain. While some malware of this type in the past has allowed attackers to take over devices, the takeover has rarely been so dramatic or to the extent that Rokarolla provides, according to experts.
In this case, Rokarolla not only steals Android users' credentials to all their significant financial accounts, it also effectively isolates the victim, notes Jason Soroko, senior fellow at Sectigo, a provider of certificate life-cycle management (CLM).
"The Rokarolla Trojan shifts focus from credential theft to victim isolation," he tells Dark Reading via email. "Developers have combined screen overlays and access tools before, but this software surprises analysts by creating an information vacuum. The application blocks calls and intercepts texts to prevent banks from alerting users about fraud."
Related:Attackers Use AI to Automate EDR Evasion Testing
... continue reading