Mobile security firm Zimperium is warning Android users about Rokarolla, a new banking trojan capable of targeting more than 200 cryptocurrency and bank applications.
The malware has been distributed via malicious websites that serve it disguised as popular apps such as Chrome and TikTok. These applications deliver the main payload by impersonating Google Play Protect.
Once it has infected a device, Rokarolla requests a wide range of permissions and can even collect an Android phone’s lockscreen credentials (PIN, pattern, or password), enabling device takeover and the theft of sensitive data even when the phone is locked.
According to Zimperium, the trojan can steal data from 217 banking and cryptocurrency applications, leveraging screen overlays to phish credentials for these apps.
The malware can also harvest WhatsApp contact information by abusing Accessibility Services to capture the active screen’s structure. It can also exfiltrate SMS messages and hijack calls.
