Executive Summary
The zLabs research team has discovered Rokarolla, a newly identified Android banking trojan named after its Command and Control (C2) infrastructure. Primarily distributed through malicious websites such as hxxps[://]infocontablidades[.]it[.]com/, where it masquerades as popular applications like TikTok or Google Chrome, this highly invasive malware is specifically designed to target and compromise 217 distinct cryptocurrency and banking applications.
To facilitate undetected financial fraud, Rokarolla employs a sophisticated suite of 137 commands that grant it extensive administrative control over an infected device. Its malicious capabilities include harvesting lock screen credentials, exfiltrating sensitive contact lists and SMS data, and utilizing keyloggers to continuously record user input. Furthermore, the trojan actively conceals its operations and disrupts user intervention by blocking incoming calls, deploying fraudulent screen overlays, suppressing device audio, and deactivating Google Play Protect.
Technical Analysis
The infection process begins when a dropper misleads users into installing a secondary payload containing the core malware (Figure 1). By masquerading as Google Play Protect, the dropper facilitates the installation of this payload.
Fig. 1: Dropper installs the second stage while impersonating a legitimate app
This strategy allows the malware to evade Android restrictions and exploit Accessibility services (Figure 2). Furthermore, the malware requests additional permissions from the victim, including access to SMS messages and handling notifications (Figure 3 ).
Fig. 2: Banker malware impersonating a legitimate app and requesting accessibility service
Fig. 3: Malware requesting additional permissions
C2 communication
The malware communicates with its Command and Control (C2) infrastructure via HTTPS. Analysis of the captured network traffic reveals that the malware initially transmits basic device telemetry for analytics and victim identification: this data is subsequently used to generate a unique botID (Figure 4). Following this initial beaconing, we observed the exchange of commands with the server aimed at extracting detailed device information, such as granted permissions and current operational status. Furthermore, to ensure operational resilience, the malware supports multiple fallback domains and can dynamically update its active C2 endpoint via remote configuration responses (Figure 5).
|
{ |
Fig.4: Basic device info sent to the server
|
{ |
Fig.5: List of domains malware can use for communication
Use of Overlays
Stealing device’s unlock credentials
The malware can harvest the device’s unlock credentials, including PINs, patterns, and passwords, enabling attackers to gain unauthorized access to the device. It accomplishes this by deploying a fraudulent overlay designed to closely mimic the legitimate Android lock screen interface. Any credentials entered by the user are captured by this deceptive UI (Figure 6) and subsequently exfiltrated to attacker-controlled infrastructure for further exploitation. This information allows the malicious actor to execute commands even if the device is locked.
Fig.6: Pin overlay on top of the victim’s screen
Hide background operations
Rokarolla deploys multiple overlay layers to obstruct user interaction, maintain control over the compromised device, and conceal underlying background activities. Simultaneously, it abuses Android's Accessibility Services to parse on-screen UI nodes and coordinates, mapping them for subsequent automated exploitation. Several commands incorporate the use of overlays, including <liveoverlay16>,<show_loading_overlay>, <sms_overlay_16>, and <call_overlay_16>. The complete information about this command can be found on this repository.
During the installation phase, the malware displays full-screen overlays that simulate an installation process. Figure 7 illustrates one such overlay presented during the installation phase, where normal device interaction is completely suppressed by a deceptive foreground screen.
Fig.7: Installing update overlay on top of victim screen
Theft of Banking and Cryptocurrency credentials
During this process, the malware queries the <monitored_app_full> endpoint to fetch the target list of banking and cryptocurrency applications. Each entry in the response payload contains:
- Package Name: The targeted financial application.
- Status Value: Controls the injection trigger:
- 0 (Inactive): Application is monitored only.
- 1 (Active): Overlay injection is enabled.
- URL: The path to the fake login page hosted by the C2 (Figure 8)
Fig.8 : status,url and package names received from the server
After that, the malware transmits the list of the application installed on the infected devices via the <get_html_mapping>, <save_apps> connections. If a targeted application is identified and its status value is set to 1, the malware downloads the corresponding fake HTML-based phishing payload (Figure 9) content and stores it in its local SQLite database. When the victim launches the legitimate application, the malware retrieves the stored HTML content and displays it as an overlay on top of the real application in order to access banking credentials, or credit card information.
Fig.9: Fake Overlay process of Imagin bank
Silent Screen Monitoring and Data Theft
Whatsapp Contact Information
The malware abuses Android's Accessibility Services to capture the structure of the active screen. It processes the visual elements on the device by comparing them against a predefined list of familiar WhatsApp terms (e.g., 'Chats', 'Calls', 'New group') and standard time formats. By doing this, the malware effectively categorizes the screen content, allowing it to selectively extract sensitive information like contact information (<get_contact>). This is shown in the following code snippet:
SMS Stealing and Call Hijacking
The malware has the capability of exfiltrating all SMS messages from the infected device and can also send SMS on behalf of the victim, which can be used to intercept sensitive information such as bank OTPs. To achieve this, the following code is used:
At the same time, Rokarolla can block and intercept phone calls (<disable_calls>, <calls_block>, <enable_calls>), preventing the victim from receiving fraud alerts from their bank. For obtaining these capabilities the malware requests the role of default SMS handler and default Call handler.
Screen content theft and clipboard manipulation
To facilitate comprehensive data theft, the malware employs commands such as <start_keylogger>, <startuilogger>, and <textextract> to silently capture user keystrokes and harvest on-screen content. This capability allows attackers to record everything the victim types and views, enabling the extraction of sensitive information like passwords, private messages, and banking details. Furthermore, the malware engages in active data manipulation by transparently overwriting the device's clipboard without any user interaction. This tactic is frequently used to substitute cryptocurrency wallet addresses or other critical strings without the user's knowledge, directly facilitating financial theft and unauthorized data redirection.
Pseudo-VNC: Snapshot-Based Screen Surveillance
Unlike conventional Android malware that relies on the MediaProjection API for continuous screen casting (VNC), this variant employs an alternative snapshot-based surveillance mechanism. The malware systematically captures screenshots of the victim’s device, compresses them into PNG format, and exfiltrates the image data alongside a precise timestamp. Following each transmission, the execution state is reset and a cleanup routine is invoked, ensuring the system maintains operational stability and is ready for the subsequent capture cycle.
Evasion and Persistence
The malware demonstrates strong stealth, evasion, and persistence techniques designed to avoid detection and prevent user-initiated removal. To reduce system defenses, it actively attempts to disable security protections by targeting Google Play Protect using commands such as <disable_google_play>, <protectorgoogle_disable>, and <open_google_play_protect>. Furthermore, the malware employs multiple techniques to operate completely under the radar. It initially hides its application icon from the device's app drawer to avoid visual detection. Complementing this visual evasion, the malware is capable of muting all device audio and vibrations, ensuring it operates in complete silence during fraudulent activities. This audio suppression effectively masks critical cues, such as security alert notifications or incoming verification calls from banking institutions, significantly reducing the likelihood of the user noticing or interrupting the transaction process.
To maintain operational persistence, the malware also forces the device screen to remain on indefinitely. This mechanism ensures that its fraudulent UI overlays, automated actions, and background processes are not disrupted by screen timeouts or the device locking.
Zimperium Protection
Rokarolla targets an expansive ecosystem of over 200 financial, cryptocurrency, and social media applications. By employing sophisticated evasion tactics, these threats are specifically engineered to circumvent legacy, signature-based mobile security solutions. However, Zimperium customers, utilizing both Mobile Threat Defense (MTD) and Runtime Application Protection (zDefend), remain protected against these evolving adversarial techniques.
Through its on-device, AI-Empowered detection engine, Zimperium identifies the core behavioral anomalies associated with this malware family. This includes the unauthorized abuse of Accessibility Services, and the tactical sideloading of malicious secondary payloads.
Furthermore, MTD provides a critical proactive layer by neutralizing the initial attack vector; Zimperium’s web protection blocks traffic to the malicious domains and phishing infrastructure used in the social engineering phase, preventing the compromise before a foothold can be established. At the same time, zDefend provides an extensive set of detections aimed to detect fraudulent activities such as screen sharing and accessibility abuse.
MITRE ATT&CK Techniques
To help our customers and the industry understand the impact of this malware, Zimperium has compiled the following table containing the MITRE Tactics and Techniques as reference.
| Tactic | ID | Name | Description |
|---|---|---|---|
| Initial Access | T1660 | Phishing | Adversaries send malicious content to users in order to gain access to their device. |
| Persistence | T1624.001 | Event Triggered Execution: Broadcast Receivers | It creates a broadcast receiver to receive SMS events |
| Defense Evasion | T1655.001 | Masquerading: Match Legitimate Name or Location | Malware pretending to be the Google Play Update application |
| Defense Evasion | T1516 | Input Injection | Malware can mimic user interaction, perform clicks and various gestures, and input data |
| Defense Evasion | T1406.002 | Obfuscated Files or Information: Software Packing | It is using obfuscation and packers (JSONPacker) to conceal its code. |
| Credential Access | T1414 | Clipboard Data | It extracts data stored on the clipboard. |
| Credential Access | T1417.001 | Input Capture: Keylogging | It has a keylogger feature |
| Credential Access | T1417.002 | Input Capture: GUI Input Capture | It is able to get the shown UI. |
| Credential Access | T1517 | Access Notifications | Can listen to the notifications |
| Discovery | T1418 | Software Discovery | Malware collects installed application package list |
| Discovery | T1426 | System Information Discovery | The malware collects basic device info. |
| Collection | T1517 | Access Notifications | It registers a receiver to monitor incoming SMS messages |
| Collection | T1513 | Screen Capture | Malware can record screen content |
| Collection | T1429 | Audio Capture | Malware captures Audio recordings |
| Collection | T1616 | Call Control | Malware can disable calls |
| Collection | T1636.004 | Protected User Data: SMS Messages | Steals SMSs from the infected device |
| Collection | T1417.001 | Input Capture: Keylogging | Malware can capture keystrokes |
| Collection | T1417.002 | Input Capture: GUI Input Capture | It is able to get the shown UI. |
| Collection | T414 | Clipboard Data | It has the ability to steal data from the clipboard. |
| Collection | T1616 | Call Control | TA can block call in the device |
| Command and Control | T1637 | Dynamic Resolution | It receives the injected HTML payload endpoint dynamically from the server. |
| Exfiltration | T1646 | Exfiltration Over C2 Channel | Sending exfiltrated data over C&C server |
| Impact | T1616 | Call Control | TA can make and block call in the device |
| Impact | T1516 | Input Injection | It displays inject payloads like pattern lock and mimics banking apps login screen through overlay and steal credentials. |
| Impact | T1582 | SMS Control | It can read and send SMS. |
IOC
Rokarolla’s IOCs can be found in this Github repository.
