Cybersecurity researchers have identified a new Android banking trojan dubbed “Rokarolla,” which leverages advanced accessibility service abuse to gain full control over infected devices. The malware specifically targets 217 different banking and cryptocurrency applications, enabling attackers to bypass multi-factor authentication and steal sensitive financial credentials, according to an analysis by Zimperium.
How Rokarolla compromises Android devices
Rokarolla functions by requesting extensive permissions through the Android Accessibility Service. Once a user grants these permissions—often under the guise of a legitimate software update or security patch—the malware gains the ability to intercept on-screen content, capture keystrokes, and interact with other applications on the user’s behalf.
According to BleepingComputer, the trojan is designed to monitor for the launch of specific financial applications. When a user opens a targeted banking or crypto app, the malware overlays a fake login screen to harvest credentials. By utilizing accessibility services, the malware can also read incoming SMS messages, effectively neutralizing two-factor authentication codes sent by banks to verify transactions.
Targeted applications and scope
The malware’s reach is significant, impacting a wide range of global financial institutions and digital asset platforms. Security analysts at Help Net Security report that the trojan’s configuration file includes 217 unique package names for banking and cryptocurrency apps. This list includes major retail banks and popular crypto exchanges, though researchers note that the specific targets can be updated remotely by the threat actors operating the botnet.
The strategy of using accessibility services to bypass security measures aligns with trends seen in other modern banking trojans, such as Xenomorph or SharkBot. However, Rokarolla distinguishes itself by its specific focus on maintaining persistence and minimizing the footprint required to exfiltrate data from a compromised device.
Steps to protect your financial data
Android users can reduce their risk of infection by adhering to strict application installation practices. Experts recommend the following security measures:
- Avoid sideloading: Only download applications from the official Google Play Store. Sideloaded APKs are the primary delivery vector for this type of malware.
- Restrict accessibility services: Periodically review your device settings under “Accessibility.” Disable permissions for any app that does not explicitly require them to function.
- Enable Play Protect: Ensure Google Play Protect is active on your device to scan for malicious apps in real-time.
- Monitor account activity: If you suspect your device is compromised, immediately change your banking passwords from a separate, secure device and contact your financial institution to monitor for unauthorized transactions.
While the threat is sophisticated, it relies heavily on social engineering to trick users into enabling the accessibility permissions necessary for the attack to succeed. Maintaining a vigilant approach to permission prompts remains the most effective defense against Rokarolla and similar mobile threats.