Security researchers have uncovered a sophisticated new Android banking trojan dubbed "Rokarolla" that targets 217 banking and cryptocurrency applications, employing a multi-layered attack strategy designed to neutralize common user defenses and silently siphon funds.
The malware was analyzed in detail by researchers at Zimperium's zLabs team, who named it after its command-and-control (C2) infrastructure. According to their findings, Rokarolla goes well beyond simple credential harvesting — it combines several offensive techniques to operate largely undetected while victims remain unaware their accounts are being drained.
How Rokarolla Works
Rokarolla's attack chain begins with credential theft via convincing overlay screens that mimic legitimate banking and crypto wallet login pages. When a user opens a targeted app, the trojan displays a fake interface on top of it, capturing usernames, passwords, and other authentication details.
But the malware's capabilities extend far beyond phishing overlays. Rokarolla can intercept incoming SMS messages, allowing attackers to capture one-time passwords (OTP) and two-factor authentication codes that banks routinely send to verify transactions. It also actively blocks incoming calls — a feature specifically designed to prevent victims from receiving fraud alerts or verification calls from their financial institutions.
Additionally, the trojan can disable Google Play Protect, Android's built-in malware scanning feature, further reducing the likelihood that the device's security systems will flag or remove it.
Distribution and Infection Vectors
The malware spreads through malicious websites disguised as legitimate application downloads. Researchers identified at least one campaign in which Rokarolla was delivered via fake pages impersonating popular apps including TikTok and Google Chrome. Unsuspecting users who visit these sites and download what they believe are legitimate applications instead install the trojan.
A Growing Trend in Mobile Threats
Rokarolla represents an escalation in the sophistication of Android banking trojans. While individual capabilities like overlay attacks and SMS interception are not new, combining credential theft, call blocking, OTP interception, and security feature disabling within a single malware package makes Rokarolla particularly dangerous.
The targeting of both traditional banking applications and cryptocurrency wallets also reflects a broader trend among cybercriminal groups seeking to maximize the range of financial assets they can access. With 217 apps in its crosshairs, the trojan casts a wide net across multiple financial platforms and services.
Implications for Mobile Users
The discovery underscores the persistent and evolving threat facing mobile device users, particularly those who manage financial accounts through their smartphones. Users are advised to download applications only from official app stores, keep Google Play Protect enabled at all times, and remain cautious of unexpected login prompts or credential requests within applications they have already authenticated.
For security teams and IT professionals, Rokarolla serves as a reminder that mobile endpoints remain a prime target for financially motivated threat actors, and that layered defenses — including mobile threat detection solutions — are increasingly essential as attackers refine their toolkits.
Zimperium's full technical analysis provides indicators of compromise and further details on the malware's C2 infrastructure, which organizations can use to assess their exposure and update their defensive postures accordingly.
安全研究人員發現了一款名為「Rokarolla」的複雜新型 Android 銀行木馬病毒,其目標鎖定 217 款銀行及加密貨幣應用程式,並採用多層次攻擊策略,旨在規避常見的用戶防禦措施並在用戶不知情的情況下悄悄盜取資金。
該惡意軟件由 Zimperium 旗下的 zLabs 團隊研究人員進行了詳細分析,並以其命令與控制(C2)基礎設施命名。根據他們的研究結果,Rokarolla 遠不止於簡單的憑證盜取——它結合了多種攻擊技術,旨在在受害者帳戶被清空時仍能大體上不被察覺地運作。
Rokarolla 的運作方式
Rokarolla 的攻擊鏈始於透過仿冒合法銀行和加密貨幣錢包登入頁面的欺騙性覆蓋介面盜取憑證。當用戶打開目標應用程式時,木馬病毒會在其上層顯示一個虛假介面,從而捕獲用戶名、密碼及其他身份驗證資料。
然而,此惡意軟件的能力遠不止於網絡釣魚覆蓋介面。Rokarolla 能夠攔截傳入的 SMS 短訊,使攻擊者可以捕獲銀行用於驗證交易的一次性密碼(OTP)和雙重認證代碼。它還會主動攔截來電——這項功能專門用於防止受害者接到來自其金融機構的欺詐警報或驗證電話。
此外,此木馬病毒能夠停用 Google Play Protect(Android 內置的惡意軟件掃描功能),進一步降低了裝置安全系統將其標記或移除的可能性。
傳播途徑與感染媒介
此惡意軟件透過偽裝成合法應用程式下載的惡意網站傳播。研究人員識別出至少一個傳播活動,其中 Rokarolla 透過冒充包括 TikTok 和 Google Chrome 在內的熱門應用程式的虛假網頁進行傳播。毫不知情的用戶訪問這些網站並下載他們認為是合法的應用程式時,實際上卻安裝了此木馬病毒。
流動裝置威脅的日益增長趨勢
Rokarolla 代表了 Android 銀行木馬病毒在複雜性上的升級。儘管覆蓋介面攻擊和 SMS 攔截等單項能力並非新事物,但將憑證盜取、來電攔截、OTP 攔截以及安全功能停用等多種技術結合在單一惡意軟件包中,使得 Rokarolla 尤其危險。
其同時針對傳統銀行應用程式和加密貨幣錢包的特點,也反映出網絡犯罪分子試圖最大化其可獲取金融資產範圍的更廣泛趨勢。由於目標涵蓋 217 款應用程式,此木馬病毒在多個金融平台和服務中撒下了廣泛的網。
對流動裝置用戶的影響
這一發現突顯了流動裝置用戶持續存在且不斷演變的威脅,特別是那些透過智能手機管理金融帳戶的用戶。建議用戶僅從官方應用程式商店下載應用程式,時刻保持 Google Play Protect 處於啟用狀態,並對在已驗證的應用程式中出現的異常登入提示或憑證要求保持警惕。
對於安全團隊和資訊科技專業人員而言,Rokarolla 提醒我們,流動裝置端點仍然是出於經濟動機的威脅行為者的首要目標,並且隨著攻擊者改進其工具集,包含流動裝置威脅偵測解決方案在內的多層防禦措施正變得日益重要。
Zimperium 的完整技術分析提供了入侵指標(IoC)以及有關該惡意軟件 C2 基礎設施的進一步詳情,組織可用於評估其面臨的風險並相應更新其防禦態勢。