What is the Rocinante trojan (Android)

Rocinante is a remote access trojan (RAT), a type of infection that gives its operators access to the infected device. It appears to primarily target Android users in Brazil. It focuses on phishing users’ banking credentials, which means victims can suffer serious financial loss if their devices get infected.

 

 

Rocinante is a remote access trojan, and they are classified as very dangerous infections because of their wide range of functions. The malicious actors operating this particular trojan seem to have their eyes set on users in Brazil. It targets Android users and appears to primarily want to steal users’ banking login credentials. It may target individual users (both regular and high-profile) as well as organizations.

Rocinante immediately requests permissions once on a device. This is typical for most Android trojans. One of the most important permissions it asks for is Accessibility Services. This is an Android feature meant to help users with certain disabilities use their devices with ease. However, because of how it works, the feature is commonly misused by malware infections like Rocinante. The feature can essentially give malware access to users’ devices and their contents. If malware gets permission to use Accessibility Services, it can read screens, record keystrokes, read notifications, and more.

It appears that the malware is aiming to phish users’ banking login credentials. If it has the necessary permissions and ability to use Accessibility Services, the malware will display fake screens when users open their banking apps. If users are tricked and type their login credentials on the fake screen, the credentials would be sent to the cybercriminals operating the trojan, which would allow them access to the bank accounts. Rocinante also has a keylogging feature. This can allow it to steal other sensitive account login credentials.

If users’ devices get infected with Rocinante RAT, they may suffer serious financial loss, permanently lose data, have their privacy invaded, and may even have their identities stolen. Noticing these types of infections without a security app can be quite difficult, particularly if users are not familiar with the signs. Trojans generally stay in the background and try to avoid detection in order to perform their malicious activities. But there are certain signs that users may notice, including the battery suddenly draining quicker than usual, the device acting slow, apps lagging, being redirected to questionable websites, etc.

How does Rocinante RAT malware (Android) enter devices?

Infections like the Rocinante trojan are distributed in several ways. If users take the time to become familiar with at least the most common distribution methods, they should be able to avoid infection.

It has been noticed that the Rocinante trojan is disguised as legitimate banking apps and promoted on third-party app stores and questionable download sites. It’s no secret that third-party app stores have a lot of malicious apps on them because of their poor moderation. This can allow a malicious app to infect thousands of users before it’s taken down. Thus, to avoid infections, it’s recommended to use legitimate app stores like the Google Play Store. Google has strong security to prevent malicious apps from being uploaded onto the store. While the occasional malware is able to bypass these security measures, the chances of encountering malware on the Play Store are very low. But even when using the Play Store, you should always carefully inspect all apps before downloading them. Specifically, check the developer, read reviews, and go through the requested permissions.

When you install an app, it will request permissions so it can carry out its activities. An effective way to prevent malware from gaining access to your device is to always be very skeptical when it comes to giving apps permissions. Always carefully consider why an app requires the permissions it asks for. For example, if you download a game and it asks for permission to read your messages, get your location, etc., you should be very suspicious.

When malicious actors have a specific target, they would likely use phishing and social engineering attacks. Ones targeting high-profile individuals would be very sophisticated and difficult to identify unless users are very cautious. For example, if the malware was spread via email, the email would have personal information that would make the email seem credible. However, sophisticated attempts are usually reserved for high-profile targets because they’re high-effort. Nonetheless, users are all warned to be careful when dealing with unsolicited emails and messages that contain links or attachments. Never click on unknown links or open unsolicited attachments. You should also keep in mind that organizations and institutions like law enforcement, banks, tax agencies, etc., do not send messages with links.

It’s also possible to infect a device with Rocinante RAT and other infections when downloading cracks and pirated content. All kinds of malware infections are promoted on pirating sites, including free streaming and torrent sites. Keep in mind that pirating is not only content theft but is also dangerous for users’ computers and data.