Crypto news

20.06.2026
04:15

Cyber threats of the week: USB worm targets crypto investors, Android trojan Rokarolla, and vulnerability in Beats Studio Buds

Cryptocurrency Cybersecurity

This week, the cyber threat landscape for the crypto community has been marked by a series of serious incidents. From self-replicating USB worms to sophisticated Android trojans, attackers continue to refine their methods. Below are key events that require close attention from anyone working with digital assets.

USB Worm with a Tor Backdoor

Microsoft specialists have detected a campaign spreading a unique USB worm targeting cryptocurrency theft. The malware activates when a modified .LNK file on a USB drive is opened. It then establishes a connection with a command server in the .onion domain and begins scanning the system. The worm hides original user documents, replacing them with malicious shortcuts. For self-replication, it creates a task that monitors the connection of new USB drives.

In its active phase, the stealer monitors the clipboard every half second, searching for BIP39 seed phrases and wallet addresses for Bitcoin, Ethereum, Tron, and Monero. Upon detection, it instantly replaces them with the attacker's addresses, with an algorithm selecting visually similar initial characters. Additionally, screenshots are taken every ten seconds. The worm's activity has been recorded since February, with key infection indicators being behavioral anomalies such as unexpected launches of wscript.exe and connections to localhost:9050.

Android Trojan Rokarolla: Full Device Takeover

Zimperium researchers have discovered a new Android trojan, Rokarolla, whose arsenal includes 137 remote commands. The malware spreads through fake websites masquerading as installers for TikTok and Google Chrome. After installation, it mimics the system component Google Play Protect and uses social engineering to force the user to grant access to "Accessibility Services." Once obtained, the trojan disables the real Play Protect and deploys its full functionality.

Rokarolla can replace legitimate crypto wallet windows with fake login pages, intercept PIN codes through a fake lock screen, read and send SMS to bypass 2FA, and block incoming calls from bank anti-fraud systems. An integrated clipper completes the picture by replacing wallet addresses in the clipboard.

Vulnerability in Beats Studio Buds: Espionage via Headphones

Apple has released a firmware update for Beats Studio Buds, fixing a critical vulnerability, CVE-2025-20701. The flaw, discovered by SentinelOne experts, allowed attackers within Bluetooth range to connect to the headphones without authentication. This enabled not only eavesdropping on conversations via the built-in microphone but also intercepting trust relationships with previously paired iPhones, opening the door for multi-stage attacks.

The issue was related to incorrect authorization in the Bluetooth audio SDK from Airoha. The vulnerability has been fixed in firmware version 1B211.

Analysis and Conclusions

This week highlights a concerning trend: attackers are increasingly using physical attack vectors (USB drives) and deep integration into mobile ecosystems. The USB worm with Tor communication is an elegant but dangerous solution for bypassing network defenses, while Rokarolla shows that even Android's "Accessibility Services" can become an Achilles' heel. The only reliable protection is a combination of behavioral analysis, minimal app privileges, and physical isolation of critical devices.