GoKawiilA new Android banking trojan named Rokarolla is targeting 217 banking and cryptocurrency applications using an extensive set of 137 commands.
The malware is distributed via malicious websites purporting to provide the Google Chrome or TikTok app, and can take complete administrative control of a compromised device.
Its capabilities include stealing lock screen credentials, contact lists, and SMS data, as well as using keyloggers to continuously record user input.
During the installation process, the malicious app acts as a dropper and impersonates Google Play Protect, Android’s built-in anti-malware system, offering users the option to install Chrome or TikTok, which include the Rokarolla malware.
When launched on the device, Rokarolla requests Accessibility service permissions, as well as access to notifications, SMS, and calls, researchers at mobile security company Zimperium reveal in a report today.
The installation process
Source: Zimperium
Communication with the command-and-control (C2) server begins with sending a basic device profile containing details such as the phone model, installed Android version, locale, display characteristics, battery level, storage capacity, and available RAM.
According to Zimperium, this information is used to generate a unique identifier for each victim in the Rokarolla campaign.
Zimperium says the malware’s primary objective appears to be the theft of financial information. To achieve this, it checks the infected device against a list of 217 targeted applications and then downloads the phishing payload corresponding to any matching apps.
... continue reading