Rokarolla Android Banker with Complete Device Takeover Capab...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://zimperium.com/blog/rokarolla-android-banker-with-complete-device-takeover-capabilities
• Blog Title: Rokarolla Android Banker with Complete Device Takeover Capabilities
• Suggested Section: Mobile Pentesting > Android Applications Pentesting > Accessibility Services Abuse; also relevant to Basic Forensic Methodology > Android Malware Post-Exploitation and Phishing Methodology > Mobile Phishing Malicious Apps

🎯 Content Summary

Rokarolla Android Banker with Complete Device Takeover Capabilities

Zimperium zLabs analyzes Rokarolla, a newly identified Android banking trojan named after its Command and Control infrastructure. It is distributed through malicious websites such as hxxps[://]infocontablidades[.]it[.]com/, where it masquerades as popular apps such as TikTok or Google Chrome. The malware is designed to compromise an ecosystem of more than...

🔧 Technical Details

Dropper-assisted permission escalation through social engineering: A malicious Android dropper can impersonate a trusted security/update component, such as Google Play Protect or Google Play Update, to convince the user to install a second-stage payload and grant dangerous permissions. Once the payload receives Accessibility access, it can inspect UI nodes, read visible text, map coordinates, automate gestures/clicks, and drive later phishing or fraud workflows without needing a kernel exploit.

Fake lock-screen overlay credential theft: Android malware can display a full-screen overlay that visually imitates the legitimate lock screen. The victim enters a PIN, pattern, or password into the fake UI, and the malware captures and exfiltrates it. This lets an attacker continue controlling the device even if it locks later, because the device unlock secret has already been stolen.

Remote-controlled banking overlay injection:...

🤖 Agent Actions

Done.

Updated:

• src/generic-methodologies-and-resources/basic-forensic-methodology/android-malware-post-exploitation.md

Added concise, non-duplicative coverage for:

• default SMS / call-role hijack via overlays + Accessibility
• SQLite-backed package → phishing HTML mapping
• WhatsApp-style semantic Accessibility parsing
• screenshot-loop pseudo-VNC without MediaProjection
• dynamic C2 rotation + Play Protect targeting

Also added references:

• Zimperium Rokarolla blog
• Zimperium Rokarolla commands

Validation:

• reviewed diff
• checked file structure / references with a script
• mdbook build could not be run because mdbook is not installed in this environment

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://zimperium.com/blog/rokarolla-android-banker-with-complete-device-takeover-capabilities

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting > Android Applications Pentesting > Accessibility Services Abuse; also relevant to Basic Forensic Methodology > Android Malware Post-Exploitation and Phishing Methodology > Mobile Phishing Malicious Apps".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0