Threat Research

Rokarolla : Android Banker with Complete Device Takeover Capabilities

Zimperium
Rokarolla is a newly identified Android banking trojan that spreads through malicious websites, impersonates popular apps, and targets 217 banking and cryptocurrency applications. It uses 137 commands, deceptive overlays, keylogging, SMS theft, call blocking, and dynamic C2 infrastructure to steal credentials and enable financial fraud. #Rokarolla #GooglePlayProtect #TikTok #GoogleChrome #WhatsApp

Keypoints

  • Rokarolla is a newly discovered Android banking trojan named after its command-and-control infrastructure.
  • It is spread via malicious websites that impersonate trusted apps such as TikTok and Google Chrome.
  • The malware targets 217 banking and cryptocurrency applications and uses phishing overlays to steal credentials.
  • Rokarolla supports 137 commands, giving attackers extensive control over infected devices.
  • It can harvest lock screen PINs, patterns, and passwords, as well as SMS messages, contacts, clipboard data, and keystrokes.
  • The trojan blocks calls, suppresses audio, hides its app icon, disables Google Play Protect, and keeps the screen awake to avoid detection.
  • It uses HTTPS-based C2 communication with fallback domains and can dynamically update its active endpoint.

MITRE Techniques

  • [T1660 ] Phishing – Uses malicious sites and fake app lures to infect victims (‘distributed through malicious websites’ and ‘masquerades as popular applications like TikTok or Google Chrome’)
  • [T1624.001 ] Event Triggered Execution: Broadcast Receivers – Creates receivers to monitor SMS-related events (‘creates a broadcast receiver to receive SMS events’)
  • [T1655.001 ] Masquerading: Match Legitimate Name or Location – Pretends to be legitimate apps and Google Play Protect (‘masquerading as Google Play Protect’ and ‘pretending to be the Google Play Update application’)
  • [T1516 ] Input Injection – Uses overlays and automated interaction to mimic user actions and steal data (‘mimic user interaction, perform clicks and various gestures’ and ‘displays inject payloads like pattern lock’)
  • [T1406.002 ] Obfuscated Files or Information: Software Packing – Conceals code using packing/obfuscation (‘using obfuscation and packers (JSONPacker) to conceal its code’)
  • [T1414 ] Clipboard Data – Reads and overwrites clipboard contents (‘extracts data stored on the clipboard’ and ‘overwriting the device’s clipboard’)
  • [T1417.001 ] Input Capture: Keylogging – Records everything typed by the victim (‘start_keylogger’ and ‘it has a keylogger feature’)
  • [T1417.002 ] Input Capture: GUI Input Capture – Captures visible UI content and screen elements (‘get the shown UI’ and ‘parse on-screen UI nodes and coordinates’)
  • [T1517 ] Access Notifications – Monitors notifications and SMS-related alerts (‘can listen to the notifications’ and ‘monitor incoming SMS messages’)
  • [T1418 ] Software Discovery – Collects installed application package lists (‘Malware collects installed application package list’)
  • [T1426 ] System Information Discovery – Gathers device telemetry and hardware details (‘Malware collects basic device info’)
  • [T1513 ] Screen Capture – Captures screenshots and screen content (‘Malware can record screen content’ and ‘captures screenshots of the victim’s device’)
  • [T1429 ] Audio Capture – Captures audio recordings (‘Malware captures Audio recordings’)
  • [T1616 ] Call Control – Blocks, disables, and manages calls (‘disable calls’, ‘calls_block’, ‘enable_calls’, and ‘can block call in the device’)
  • [T1636.004 ] Protected User Data: SMS Messages – Exfiltrates SMS messages from the device (‘Steals SMSs from the infected device’)
  • [T1637 ] Dynamic Resolution – Retrieves injected HTML payload endpoints dynamically (‘it receives the injected HTML payload endpoint dynamically from the server’)
  • [T1646 ] Exfiltration Over C2 Channel – Sends stolen data to attacker-controlled infrastructure (‘Sending exfiltrated data over C&C server’)
  • [T1582 ] SMS Control – Reads and sends SMS messages (‘It can read and send SMS’)

Indicators of Compromise

  • [URL ] Malicious distribution site used to deliver Rokarolla – hxxps[://]infocontablidades[.]it[.]com/, https://beralisvc.info
  • [Domain ] Fallback C2 domains used for communication – blestorians.cfd, abiorime.cfd
  • [Domain ] Additional C2 domain listed in remote config – morevoms.cfd
  • [Endpoint / command names ] Commands and overlay functions observed in the malware – monitored_app_full, get_html_mapping, save_apps
  • [Endpoint / command names ] Overlay and device-control commands – disable_google_play, open_google_play_protect, disable_calls
  • [Endpoint / command names ] Keylogging and extraction commands – start_keylogger, startuilogger, textextract
  • [Data / artifact ] C2 response and bot identification fields – botId d4eddf15c5dfe39b, appVersion 1.0

Read more: https://zimperium.com/blog/rokarolla-android-banker-with-complete-device-takeover-capabilities

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint