“Rokarolla Malware: How Hackers Bypass Google Play Protect to Take Control of Android Devices”

Cyber Security

“`html

A recently uncovered Android banking trojan named Rokarolla is creating a stir in the cybersecurity arena, proving to be more perilous than many threats we’ve encountered recently.

This malware is designed to seize complete control of an infected device while remaining entirely concealed from the user. Its influence is immense, targeting over 217 banking and cryptocurrency apps currently.

Rokarolla propagates through deceptive websites that mislead users into downloading what seems to be a genuine application.

The malware camouflages itself as popular applications such as TikTok or Google Chrome, making it quite effortless for unsuspecting users to install it without any doubt. After it infiltrates a device, a dropper component subtly installs the primary harmful payload in the background.

Analysts at Zimperium uncovered this threat through extensive technical scrutiny carried out by their zLabs team, with the results detailed in a report shared with Cyber Security News (CSN).

The trojan is actually named after its own command and control framework, providing researchers with a distinctive path to trace. The team discovered that the malware employs 137 unique commands to execute its functions on compromised devices.

Dropper installs the second stage while mimicking a legitimate application (Source – Zimperium)

The magnitude of Rokarolla’s capabilities is unsettling even for experienced security experts. It captures lock screen PINs and passwords through fraudulent overlays, quietly reads all SMS messages, and records every keystroke on the device.

All acquired data is transmitted to attacker-controlled servers without the victim ever realizing it has occurred. One of the most alarming features of this trojan is how thoroughly it conceals its presence.

It removes its app icon from the device drawer, silences all sounds and vibrations to conceal bank alert notifications, and even forces the screen to remain active to ensure its automated tasks are never interrupted. For those with sensitive financial applications on their smartphones, this threat should serve as a serious alert.

Hackers Exploit Rokarolla Android Malware

Rokarolla actively seeks to disable Android’s integrated security layer before establishing itself. It employs specific instructions such as disable_google_play and protectorgoogle_disable to eliminate Google Play Protect, effectively rendering the device oblivious to additional threats.

With that safeguard removed, the malware acquires an unobstructed path to execute its comprehensive array of harmful actions.

“““html

The trojan exploits Android’s Accessibility Services, a utility typically assisting individuals with disabilities, to engage with the screen on behalf of the hacker.

It charts every UI component, tracks running applications, and superimposes counterfeit login screens over legitimate banking apps to capture credentials. When a user believes they are accessing their bank account, they are actually transmitting their information straight to the hacker.

Banker malware impersonating a legitimate app and requesting Accessibility Service (Source - Zimperium)
Banker malware mimicking a legitimate application and soliciting Accessibility Service (Source – Zimperium)

The malware further utilizes a snapshot-based screen monitoring technique rather than the more prevalent live screen streaming method. It captures screenshots at set intervals, compresses them, and sends them with timestamps to external servers.

This provides hackers with a nearly real-time perspective on everything occurring on the victim’s device.

Stealthy Data Exfiltration and Command Control Framework

Rokarolla poses significant threats when it comes to harvesting data beyond just login credentials. It intercepts SMS messages, including banking OTPs, disables incoming calls from financial organizations, and discreetly alters clipboard content to redirect cryptocurrency wallet addresses.

The attacker can reroute a monetary transaction without the victim ever detecting the alteration. The malware interacts with its command and control servers via HTTPS to integrate seamlessly with regular traffic.

Upon initial contact, it supplies a comprehensive device profile, comprising hardware specifics, battery condition, and storage stats, to create a distinct bot ID. The malware accommodates multiple backup domains and can swiftly alternate between them if one becomes blocked.

To ensure safety, users should…
“““html
refrain from downloading applications from outside the legitimate Google Play Store and exercise extreme vigilance when granting Accessibility Service permissions to any software.

Maintaining current Android security updates and employing a mobile threat defense tool can greatly diminish the probability of infection from dangers like Rokarolla.

Indicators of Compromise (IoCs):-

The ensuing IoCs were discovered in the Zimperium zLabs analysis report.

Type Indicator Description
URL hxxps[://]infocontablidades[.]it[.]com/ Main malware distribution website pretending to be TikTok or Google Chrome
Domain beralisvc[.]info C2 fallback domain utilized for malware communication
Domain blestorians[.]cfd C2 fallback domain utilized for malware communication
Domain abiorime[.]cfd C2 fallback domain utilized for malware communication
Domain morevoms[.]cfd C2 fallback domain utilized for malware communication

Note: IP addresses and domains have been deliberately sanitized (e.g., [.]) to avert unintentional resolution or hyperlinking. Only sanitize within controlled threat intelligence platforms like MISP, VirusTotal, or your SIEM.

“`