Rokarolla: The New Malware Targeting 217 Banking and Crypto Apps on Android

What happened?

Security researchers have discovered a new Android banking trojan named Rokarolla, capable of compromising 217 banking and cryptocurrency applications. According to TechRadar, the malware spreads through fake apps and uses overlay techniques to capture credentials, while also abusing accessibility services to intercept SMS messages and perform unauthorized transactions. This finding adds to the growing list of mobile threats, such as the well-known Xenomorph or Anatsa, which also targeted financial apps. However, Rokarolla stands out for its ability to simultaneously attack 217 apps, a number surpassing many previous trojans. The sample was first detected in July 2024, and active distribution has been observed in regions of Europe and Latin America.

Why is it important?

This malware represents a significant threat because it specifically targets financial and crypto apps, a growing sector with users handling high-value digital assets. According to Chainalysis data, the cryptocurrency market exceeded $1.5 trillion in market capitalization in 2024, making it an attractive target for cybercriminals. Additionally, its ability to evade initial detection through obfuscation techniques and its sophistication in abusing accessibility services make it a real danger to mobile security. Unlike other trojans such as Cerberus or EventBot, which focused on specific regions, Rokarolla has a broad geographic reach, affecting users in multiple countries, including the United States, United Kingdom, Germany, and Spain. This is because the fake apps distributing it are promoted through phishing campaigns and malicious ads on social media, without geographic limitation.

Consequences and recommendations

Consequences for users can include fund theft, exposure of personal data, and compromise of bank accounts. In the case of cryptocurrencies, once the malware obtains private keys or exchange credentials, funds can be transferred to wallets controlled by attackers, with little chance of recovery. To protect yourself, it is recommended:

• Keep the operating system and applications updated. Google has patched several accessibility vulnerabilities in recent Android versions, but many devices still do not receive updates.
• Download apps only from Google Play and verify requested permissions. Rokarolla often disguises itself as productivity or utility apps, such as document scanners or flashlights.
• Be wary of suspicious messages or links that ask to install apps, especially if they come from unverified sources.
• Use recognized mobile security solutions, such as those from Kaspersky or Bitdefender, which have already updated their databases to detect this threat.

Financial institutions and cryptocurrency exchanges should strengthen their authentication and monitoring systems to detect anomalous activities. For example, implement two-factor authentication based on apps (like Google Authenticator) instead of SMS, as this method is vulnerable to interception by Rokarolla. Additionally, they should educate their users about the risks and promote the use of additional security measures.

Technical context

Rokarolla is classified as a banking trojan that, once installed, requests accessibility permissions. With these, it can read notifications, perform automatic clicks, and overlay fake windows on legitimate apps. Additionally, it can intercept SMS messages for two-step verification, allowing it to bypass SMS-based two-factor authentication. According to researchers' analysis, the malware uses a C2 (command and control) server to receive instructions and exfiltrate data. It communicates via HTTPS protocols to evade network detection. Rokarolla can also download and install additional modules, allowing it to update its capabilities in real time. This makes it more dangerous than static trojans like Alien, which had a fixed set of functionalities. The malware is primarily distributed through third-party websites and phishing campaigns, although variants packaged in repackaged legitimate apps have also been detected.

"The Rokarolla malware is a reminder that mobile security must be a priority, especially for those handling crypto assets. The sophistication of these attacks underscores the need for a defense-in-depth approach that includes both technical measures and user education." — Analyst at TheVortiq

In conclusion, Rokarolla represents an evolution in the mobile banking trojan landscape, with a reach and capabilities that make it a serious threat. Collaboration between security researchers, device manufacturers, and financial entities will be key to mitigating its impact. Users must remain vigilant and adopt best security practices to protect their digital assets.