Do Son 
Banker malware impersonating a legitimate app and requesting accessibility service
At a Glance
- Malware Family: Rokarolla Android banking trojan
- Threat Actor: Unknown
- Targets or Victims: 217 cryptocurrency and banking applications
- Scale: Unconfirmed number of global mobile users
- Jurisdiction or Status: Under active investigation
- Source: zLabs research team
TL;DR
The Rokarolla Android banking trojan executes a complete device takeover. It steals sensitive financial data through fake login overlays. Consequently, victims face severe risks to their cryptocurrency and bank accounts.
Delivery
Attackers distribute this threat through specific malicious websites. These sites often mimic legitimate software platforms. For example, they masquerade as TikTok or Google Chrome application downloads. A dropper application initiates the initial attack sequence. It tricks victims into installing a dangerous secondary payload. This secondary payload pretends to be the legitimate Google Play Protect service. The malware then requests extensive device permissions from the user. It specifically targets SMS access and notification handling. Victims unknowingly grant the trojan full administrative control over their mobile devices.
Infection Chain
The infection begins when the user grants Accessibility Services access. The Rokarolla Android banking trojan abuses these services immediately. First, it hides its application icon from the device app drawer. This action prevents easy visual detection by the victim. Next, it connects to a remote command server. It retrieves a full list of targeted financial applications. The malware downloads fake HTML phishing pages for these specific apps. It stores these pages in a local database for future use. When a victim opens a real banking app, the trojan acts. It displays the fake HTML page as an overlay. This deceptive screen captures user credentials silently. The malware also creates a fake lock screen overlay. This allows attackers to steal device PINs and unlock patterns.
Command-and-Control and Data-Exfiltration Behavior
The malware uses secure HTTPS connections for server communication. It sends basic device telemetry to generate a unique bot identifier. Operators can update the active command server dynamically. The trojan employs an unusual pseudo-VNC surveillance system. It takes rapid snapshots of the screen instead of casting video. The zLabs team notes, “The malware systematically captures screenshots of the victim’s device, compresses them into PNG format, and exfiltrates the image data.” The threat also acts as a persistent keylogger. It records all user keystrokes to steal passwords. Furthermore, it intercepts and reads incoming SMS messages. This capability allows attackers to bypass two-factor authentication security codes. The trojan can even send text messages on behalf of the victim.
Defense or Detection Guidance
This malware actively fights standard mobile device defenses. It attempts to disable Google Play Protect entirely upon installation. It also mutes device audio and turns off vibrations. This silencing hides incoming phone calls from bank fraud departments. Furthermore, it forces the device screen to remain on indefinitely. Administrators should monitor for applications requesting default SMS handler roles. Users must avoid downloading apps from unofficial websites entirely. Always review requested permissions carefully during any software installation.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
