A new banking trojan named 'Rokarolla' has been identified by mobile security firm Zimperium, targeting over 200 cryptocurrency and banking applications on Android devices. Distributed via malicious websites disguised as popular apps, Rokarolla impersonates Google Play Protect to deliver its payload. Once installed, it requests extensive permissions and can capture device lock credentials, allowing for theft of sensitive information even while the device is locked.
The malware can exfiltrate data through phishing screens, steal WhatsApp contacts, harvest SMS messages, hijack calls, and includes keylogger functionality to track user inputs. It employs stealth techniques such as hiding its app icon, muting notifications, and capturing screenshots without the user's knowledge, making detection challenging.