Android users are currently under attack by a new malware campaign featuring a banking trojan named Rocinante. This malware disguises itself as legitimate banking applications to steal sensitive information from unsuspecting victims.
The malware, identified by cybersecurity researchers, uses Android’s Accessibility Service to perform keylogging and display phishing screens that mimic various banks to steal personally identifiable information (PII) from users. With this data, Rocinante can take over devices remotely by exploiting these accessibility privileges.
Several well-known financial institutions, such as Itaú Shop and Santander, have been impersonated by the trojan, with fake apps posing as Bradesco Prime, Correios Celular, and others. These apps include:
– Livelo Pontos (com.resgatelivelo.cash)
– Correios Recarga (com.correiosrecarga.android)
– Bratesco Prine (com.resgatelivelo.cash)
– Módulo de Segurança (com.viberotion1414.app)
The malware’s source code reveals that the operators refer to Rocinante internally as Pegasus or PegasusSpy, although it has no connection to the notorious spyware developed by NSO Group. Instead, the malware appears to be the work of a threat actor known as DukeEugene, who has also developed other malicious software like ERMAC, BlackRock, Hook, and Loot.
Research shows that Rocinante incorporates elements from earlier versions of ERMAC, possibly stemming from a source code leak in 2023. This marks the first instance where an original malware family has utilized leaked code to enhance its functionality, though it is also possible that the versions represent different branches from the same base project.
Rocinante spreads mainly through phishing websites that lure users into downloading fake dropper apps. Once installed, these apps request accessibility service privileges, allowing the malware to monitor all activities, intercept SMS messages, and display phishing login pages.
The malware also connects to a command-and-control (C2) server to receive further instructions, such as simulating touch and swipe events remotely. It transmits the stolen data to a Telegram bot, which then formats the information—like device details, CPF numbers, passwords, and account numbers—and makes it accessible to cybercriminals.
This campaign emerges alongside another banking trojan attack identified by security experts, which uses the secureserver[.]net domain to target Spanish and Portuguese speakers. This multi-step attack involves malicious URLs leading to a hidden .hta file, which in turn delivers a JavaScript payload designed to avoid detection before launching a final AutoIT payload that aims to steal banking credentials.
Additionally, a new “extensionware-as-a-service” campaign has been detected, targeting users in Latin America with malicious browser extensions spread through the Chrome Web Store. The e-crime group Cybercartel has been identified as the entity behind this campaign, providing these malicious tools to other cybercriminal organizations.
These harmful extensions disguise themselves as legitimate applications and inject malicious JavaScript code into web pages to capture sensitive data, such as login credentials and credit card information, depending on the targeted campaign.
To protect against malware like Rocinante, users should avoid downloading apps from unofficial sources and be wary of unexpected requests for permissions, especially those related to accessibility services. Regularly updating device software and using robust security solutions, such as anti-malware applications, can help detect and block malicious activity.