Rokarolla Android Banker with Complete Device Takeover Capab...

src/generic-methodologies-and-resources/basic-forensic-methodology/android-malware-post-exploitation.md

@@ -629,6 +629,71 @@ wm.addView(v, lp);
 
 Operator control primitives often seen: `BACK`, `HOME`, `RECENTS`, `CLICKTXT`/`CLICKDESC`/`CLICKELEMENT`/`CLICKHINT`, `TAP`/`SWIPE`, `NOTIFICATIONS`, `OPNPKG`, `VNC`/`VNCA11Y` (screen sharing).
 
+
+## Role hijack, semantic UI parsing, and screenshot-based pseudo-VNC (Rokarolla-like banker workflow)
+
+A recent Android banker family is a good example of how **post-install fraudware** can avoid new exploits and still reach near-full device takeover by chaining Accessibility, overlays, Android roles, and low-bandwidth screen telemetry.
+
+### Default SMS / call role hijack with overlay-assisted consent
+
+Beyond requesting `READ_SMS`/`SEND_SMS`, some bankers explicitly try to become the **default SMS app** and a **call-handling / call-screening component** so they can read incoming OTPs, send SMS as the victim, and suppress bank warning calls.
+
+Practical pattern:
+- request the role through `RoleManager` or the platform call-management flow
+- show a blocking overlay while Accessibility locates and clicks the consent buttons
+- store per-device click points so later role prompts can be auto-approved faster
+
+Hunting ideas:
+- `RoleManager.createRequestRoleIntent(...)`
+- strings such as `android.app.role.SMS`, `call_screening`, `default SMS`, `default handler`
+- Accessibility helpers that calibrate overlay coordinates before calling `dispatchGesture(...)`
+
+### SQLite-backed package → phishing-HTML mapping
+
+A useful banker design is to keep the **target package list** and downloaded **overlay HTML** in a local SQLite database instead of hardcoding every template in the APK.
+
+Common flow:
+1. fetch a monitored-app mapping from the C2 (`package`, `status`, `url`)
+2. compare it with the installed-package list
+3. download the matching fake HTML only for apps present on the device
+4. cache the template locally and inject it when the legitimate package reaches the foreground
+
+This design makes the overlay set remotely updateable without shipping a new APK and leaves very specific forensic artifacts: tables or rows storing the package name, enable/disable status, and phishing URL / HTML blob.
+
+### Semantic Accessibility parsing for app-specific theft
+
+Instead of exfiltrating the whole UI tree blindly, some samples treat Accessibility as a **semantic screen classifier**. They ignore common labels that belong to the target app's normal chrome and focus only on text that is likely to be sensitive.
+
+Observed pattern for WhatsApp-style extraction:
+- treat labels such as `Chats`, `Calls`, and `New group` as structural noise
+- ignore strings that match common time formats
+- exfiltrate the remaining visible texts as likely contacts / chat metadata
+
+This is a reusable technique for any app with stable navigation labels: first identify the screen from a few invariant strings, then strip the known UI shell and keep only attacker-relevant fields.
+
+### Screenshot loop pseudo-VNC without MediaProjection
+
+Not every Android RAT uses continuous `MediaProjection` streaming. A quieter alternative is a **snapshot loop**:
+- take a screenshot
+- encode it as PNG or JPEG
+- attach a timestamp / state marker
+- exfiltrate it over the existing C2
+- reset internal state and repeat
+
+For analysts, this matters because the malware may provide operator screen visibility **without** requesting the visible MediaProjection consent flow. Hunt for repeated screenshot helpers, `Bitmap.compress(...)`, PNG encoders, timer/handler loops, and upload routines that send image blobs plus timestamps.
+
+### Dynamic C2 rotation and security-tool suppression
+
+Two small but useful patterns:
+- **dynamic domain rotation**: a config command updates the active HTTPS C2 list in preferences or local storage, so sinkholing one domain does not kill the bot
+- **security-UI targeting**: commands explicitly open Google Play Protect or related settings pages, then rely on overlays + Accessibility to hide the interaction while protections are disabled
+
+### Triage grep set
+
+```bash
+rg -n 'RoleManager|createRequestRoleIntent|android.app.role.SMS|call_screening|dispatchGesture|AccessibilityNodeInfo|SQLiteDatabase|monitored_apps|Bitmap.compress|png|timestamp|SharedPreferences|Play Protect' .
+```
+
 ## Multi-stage Android dropper with WebView bridge, JNI string decoder, and staged DEX loading
 
 CERT Polska's 03 April 2026 analysis of **cifrat** is a good reference for a modern phishing-delivered Android loader where the visible APK is only an installer shell. The reusable tradecraft is not the family name, but the way the stages are chained:
@@ -774,6 +839,8 @@ struct Header {
 - [DomainTools SecuritySnacks - ID/VN Banker Trojans (IOCs)](https://github.com/DomainTools/SecuritySnacks/blob/main/2025/BankerTrojan-ID-VN)
 - [Bypassing Android 13 Restrictions with SecuriDropper (ThreatFabric)](https://www.threatfabric.com/blogs/droppers-bypassing-android-13-restrictions)
 - [Analysis of cifrat: could this be an evolution of a mobile RAT?](https://cert.pl/en/posts/2026/04/cifrat-analysis/)
+- [Rokarolla : Android Banker with Complete Device Takeover Capabilities](https://zimperium.com/blog/rokarolla-android-banker-with-complete-device-takeover-capabilities)
+- [Zimperium IOC – Rokarolla commands](https://github.com/Zimperium/IOC/blob/master/2026-06-Rokarolla/commands.md)
 - Kimwolf Android TV Botnet: ENS-Based C2 Evasion, TLS+ECDSA C2 Protocol, and Large-Scale Proxy/DDoS Operations - [blog.xlab.qianxin.com](https://blog.xlab.qianxin.com/kimwolf-botnet-en/)