Zimperium's zLabs has documented Rokarolla, a new Android banking trojan that targets 217 banking and cryptocurrency apps and accepts 137 remote commands, giving an operator near-total control of an infected phone. It lifts lock-screen PINs, reads and sends text messages to grab one-time codes, rewrites the clipboard to redirect cryptocurrency payments, and disables Google Play Protect. It spreads through malicious websites posing as popular apps like TikTok and Chrome, starting with a dropper disguised as Google Play Protect that abuses Accessibility permissions. The actual theft uses fake login overlays placed on top of real banking apps, and surveillance relies on quiet Accessibility screenshots.
WatchGuard and ESET have documented two parallel banking-malware campaigns hitting Windows and Android users across Iberia and Latin America. The Windows campaign delivers Grandoreiro - an actively evolving banking trojan operating since 2016 that targets thousands of institutions across 45 countries - via DLL side-loading of four legitimate applications, using Delphi 11-built DLLs that abuse the sgcWebSockets library for WebRTC peer-to-peer C2 over STUN and ICE protocols to blend with web-conferencing traffic. Named targets include Abanca, Banco de Portugal, BBVA PT, Caixa Geral, Santander, plus Revolut and Wise. A companion campaign delivers the BTMOB RAT to Android users in Brazil.