--- title: "New Rokarolla Trojan Steals Banking Data From Android Users" date: 2026-06-17 author: "Sofia Ramirez" featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2026/06/rokarolla-trojan-steals-banking-data-from-android.jpg" categories: - name: "Cybersecurity" url: "/cybersecurity.md" tags: - name: "News" url: "/tag/news.md" --- # New Rokarolla Trojan Steals Banking Data From Android Users A newly discovered Android banking trojan called Rokarolla is targeting hundreds of banking and cryptocurrency apps while giving attackers extensive control over infected devices. ## Quick Summary – TLDR: - Rokarolla is a newly discovered Android banking trojan identified by Zimperium’s zLabs researchers. - The malware targets 217 banking and cryptocurrency applications through fake login screens and credential theft. - It can steal passwords, PINs, SMS messages, banking details, and crypto wallet information while blocking fraud alert calls. - Researchers warn the threat represents a growing shift from simple credential theft to full device takeover. ## What Happened? Security researchers at **Zimperium zLabs** have uncovered a new Android banking trojan called **Rokarolla** that is capable of taking extensive control of infected smartphones. The malware is primarily distributed through malicious websites that impersonate popular apps such as TikTok and Google Chrome. According to the researchers, Rokarolla targets **217 banking and cryptocurrency applications** and uses a large arsenal of commands to steal sensitive information, manipulate devices, and help attackers conduct financial fraud without alerting victims. > 🚨 Fake Play Protect app > 🎭 Hidden overlay > 📱 217 apps targeted > ⚙️ 137 commands > > Researchers say Rokarolla steals PINs, SMS codes, and crypto payments by abusing Android Accessibility. > > It spreads through fake [\#TikTok](https://x.com/hashtag/TikTok?src=hash&ref_src=twsrc%5Etfw) and Chrome sites. > > Read ➝ > > — The Hacker News (@TheHackersNews) [June 16, 2026](https://x.com/TheHackersNews/status/2066873666034692424?ref_src=twsrc%5Etfw) ## How Rokarolla Infects Android Devices? The infection chain starts with a malicious dropper that pretends to be **Google Play Protect**. Once installed, the dropper delivers the main malware payload and persuades users to grant **Accessibility Services** permissions. These permissions give Rokarolla powerful capabilities that allow it to simulate taps, interact with apps, read screen content, and perform actions without the victim’s knowledge. Researchers noted that the malware also requests access to SMS messages, notifications, and phone related permissions, expanding its ability to monitor and control infected devices. ## Designed to Target Banking and Crypto Apps One of Rokarolla’s most dangerous features is its ability to target a large number of financial applications. The malware communicates with its command and control infrastructure to retrieve a list of targeted banking and cryptocurrency apps. When a victim launches one of the targeted applications, Rokarolla displays a fake login page over the legitimate app. These phishing overlays are downloaded from attacker controlled servers and stored locally on the device. The technique allows attackers to collect: - **Usernames** - **Passwords** - **Banking credentials** - **Credit card information** - **Cryptocurrency account details** Researchers explained that the malware dynamically activates these overlays only when specific apps are opened, helping it avoid detection. ## Stealing PINs, SMS Messages, and More Rokarolla goes far beyond traditional banking malware. The trojan can create a fake [Android](https://sqmagazine.co.uk/android-statistics/) lock screen that closely resembles the legitimate interface. Victims who enter their PIN, password, or unlock pattern unknowingly send that information directly to attackers. The malware is also capable of reading and sending SMS messages, allowing it to intercept **one time passwords** and authentication codes used by banks and financial services. According to the report, “**Any credentials entered by the user are captured by this deceptive UI and subsequently exfiltrated to attacker controlled infrastructure for further exploitation.**“ Researchers also observed the malware harvesting contact lists, collecting [WhatsApp](https://sqmagazine.co.uk/whatsapp-statistics/) related information, capturing keystrokes, and logging screen activity. ## Advanced Evasion and Device Takeover Features Rokarolla includes approximately **137 commands** that provide attackers with extensive control over infected devices. The malware can: - **Disable Google Play Protect** - **Block incoming calls** - **Mute device audio and vibrations** - **Hide its application icon** - **Keep the screen active indefinitely** - **Replace copied [cryptocurrency wallet addresses](https://sqmagazine.co.uk/hardware-wallet-market-statistics/)** - **Capture screenshots for surveillance** Instead of relying on Android’s MediaProjection API, which typically displays recording notifications, Rokarolla uses a screenshot-based monitoring system. Images are captured, compressed, and sent to attacker servers without displaying visible recording indicators. Researchers also found that the malware can request default SMS handler and call handler privileges. This allows it to intercept communications and block fraud warning calls from banks that might otherwise alert victims to suspicious transactions. ## Researchers Warn of Growing Mobile Banking Threats Security experts say Rokarolla reflects a broader evolution in Android malware. Rather than focusing solely on stealing credentials, attackers are increasingly seeking complete control of mobile devices. Researchers said: “ Rokarolla targets an expansive ecosystem of over 200 financial, cryptocurrency and social media applications. By employing sophisticated evasion tactics, these threats are specifically engineered to circumvent legacy, signature based mobile security solutions. Researchers The malware also uses multiple fallback domains and can dynamically update its command and control infrastructure, helping maintain operations even if individual servers are taken offline. ## SQ Magazine Takeaway I believe **Rokarolla** is a clear example of how mobile banking malware is becoming far more sophisticated. This is no longer just about stealing a password or an SMS code. Attackers are attempting to control the entire smartphone because that device now holds access to banking accounts, cryptocurrency wallets, personal communications, and digital identities. Android users should be extremely cautious about installing apps from unofficial sources and should treat unexpected requests for Accessibility permissions as a serious warning sign.