What is the Rocinante trojan (Android)

Rocinante is a remote access trojan (RAT) type of infection that targets Android devices. It’s a very serious infection that can lead to money loss, identity theft, stolen data, etc. It appears to primarily target banking institutions in Brazil.

 

 

Remote Access Trojans (RATs) like Rocinante are classified as very dangerous infections. The Rocinante RAT mainly targets Android device users in Brazil, specifically those that use certain banking applications. In addition to regular users, the trojan may also be used to target high-profile individuals and organizations.

Immediately after the Rocinante trojan enters a device, it starts requesting permissions. This is typical for most Android malware, as is requesting permission to Accessibility Services. This is a legitimate Android feature that helps users with certain disabilities to use their devices with more convenience. However, this feature is often abused by malware because it essentially gives malware access to users’ devices and their contents. If malware gets permission to use Accessibility Services, it can read screens, record keystrokes, read notifications, and more.

The primary goal of this malware is to phish users’ banking login credentials. When it’s fully set up (has the necessary permissions and ability to use Accessibility Services), it will start displaying fake screens whenever users try to open their banking apps. If users type in their login credentials on the fake screen, the credentials would be stolen, thus allowing malicious actors access to the bank accounts. Rocinante also has a keylogging feature. This can allow it to steal other sensitive account login credentials.

The Rocinante RAT infection is very serious. An infection may result in stolen and permanently lost data, financial loss, privacy issues, and even identity theft. It’s very difficult to notice these types of infections without some kind of security app on the device because trojans typically work in the background and stay out of sight. Some symptoms can be noticeable if users know what to look for. For example, an infected device would start lagging, apps would crash, battery usage would increase, users may get randomly redirected to questionable websites, etc. However, even if noticing a trojan is possible, removing it from an Android device should be left to a professional security program to avoid more damage.

How does Rocinante malware (Android) enter the device?

Like all Android malware, the Rocinante malware is distributed in several ways. First of all, Rocinante malware can be disguised as a legitimate security or banking app. These disguised apps can be found on various third-party app stores and questionable download sites. This is generally the method used to target users on a massive scale.

For specific targets, malicious actors usually use phishing and social engineering attacks, like emails and messages. If malicious actors target someone specific and have access to certain personal information, the phishing/social engineering attacks would be very sophisticated and look convincing.

And just like all malware, users may also encounter Rocinante RAT when pirating, such as when downloading cracks and copyrighted content. Malware is very prevalent on various third-party app stores and dubious download sites as well.

How to protect yourself from Android malware

There are several ways users can protect their Android devices from malware.

Research apps before downloading

All apps should be carefully researched before installing. Users should always check the developer, read reviews, inspect permission requests, etc.

Use legitimate stores/platforms to download apps

It’s strongly recommended to stick to legitimate and official app stores like the Google Play Store. Third-party app stores are often poorly regulated, which allows malicious actors to upload malicious apps disguised as legitimate. Google Play Store is the best place to download apps from because it has various security measures to prevent malware. While the occasional malware can get past Google’s security, it happens very rarely, especially compared to third-party app stores.

Always carefully review requested permissions

One of the most effective ways to prevent infections on an Android device is carefully reviewing permissions before giving them to an app. Whenever an app is installed, it requests permissions so it can operate the way it’s supposed to. However, users should always be very skeptical when reviewing permissions. For example, if users download a game and it requests permission to read their messages, make calls, etc., that should ring alarm bells.

Keep the device up-to-date

It’s important to keep all devices up to date and install updates as they come out. Updates patch known vulnerabilities, which could be used by malicious actors so it is essential to install them.

Do not click on unknown links or open unsolicited email attachments

This advice not only applies to Android users but to all users, no matter what kind of device they are using. Users should always be very careful with unsolicited SMS, emails, messages, etc., that have links or attachments. Users should also keep in mind that government agencies (e.g. law enforcement, tax agencies), banks, and other institutions never send SMS messages or emails with links in them. Users should avoid clicking on unknown links in general and never open unsolicited email attachments without double-checking them first (e.g. scanning them with an anti-virus program or VirusTotal).