Source linked

Троян Rokarolla использует 137 команд для захвата 217 банковских приложений

bleepingcomputer.com@threat_watch3 hours ago·Cybersecurity·5 comments

Исследователи Zimperium обнаружили троян, который выдает 137 различных команд и может украсть учетные данные через фишинг на 217 финансовых приложениях.

rokarollazimperiumandroid malwarebanking trojanoverlay phishingmobile security

Rokarolla ships with 137 commands - more than many botnets - and targets 217 specific banking and cryptocurrency apps, according to Zimperium's analysis.

137 Commands, One Objective: Empty Your Accounts

Zimperium researchers cataloged every action Rokarolla can perform, from stealing SMS and contacts to keylogging and real-time screen recording. The command set includes blocking incoming calls and bank fraud alerts, copying clipboard contents, and taking periodic screenshots with timestamps. That level of control gives operators near-complete administrative access to an infected device.

Fake Chrome and TikTok Are the Delivery Vehicles

Rokarolla doesn't ride on Google Play. It spreads through malicious websites that offer Google Chrome or TikTok APKs. During installation, the dropper impersonates Google Play Protect and asks users to install one of those apps. Once launched, it requests Accessibility service permissions, plus access to notifications, SMS, and calls. Zimperium notes that the malware disappears its icon from the app drawer and keeps the screen awake to avoid suspicion.

Overlay Phishing on 217 Apps

After checking the device against its hardcoded target list, Rokarolla downloads a phishing overlay for any matching app. When the victim opens a banking or crypto app, the malware displays a fake login screen that steals credentials, credit card numbers, and other financial data. Overlays also capture the lock-screen PIN or pattern, allowing attackers to operate the phone even while locked. Additional evasion: Rokarolla disables Google Play Protect, silences audio and vibration, and blocks user interaction by showing fake installation screens.

Why This Matters for Android Security

Rokarolla's command set is publicly available on Zimperium's GitHub for defenders to study. The malware's ability to intercept two-factor authentication by stealing SMS and blocking bank fraud alerts makes it a serious threat for mobile banking users. With 137 commands and a target list of 217 apps, expect this payload to evolve as operators refine their financial fraud playbook.

Source: New Rokarolla Android malware targets 217 banking, crypto apps
Domain: bleepingcomputer.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
GitGuardian Scans Developer Laptops for 150 Secrets on Average, Targets AI Credential Bleed

A new endpoint scanner finds 40% of secrets in AI tool directories; GitGuardian says the average developer machine holds 150 credentials, with private keys at 38%.

Why Zero Trust's Identity Model Fails Against Agentic AI Actions

Agentic AI doesn't just access data-it reasons, plans, and executes autonomous sequences. The security question shifts from "should this identity see this data?" to "should this agent take this action, right now, in...

CVE-2026-12105: Devolutions Server Attachments Handler Lacks Authorization

A critical missing authorization bug in Devolutions Server's Attachments Handler lets remote attackers access files without proper checks. Upgrade to 2026.2.5 or later.

Steam Workshop Wallpapers Have Been Dropping Malware Since Late 2025

Dozens of malicious Wallpaper Engine packages on Steam Workshop, each downloaded thousands of times, deliver infostealers, backdoors, and crypto miners.

Comments load interactively on the live page.