A newly discovered Android banking trojan called Rokarolla is targeting hundreds of banking and cryptocurrency apps while giving attackers extensive control over infected devices.
Quick Summary – TLDR:
- Rokarolla is a newly discovered Android banking trojan identified by Zimperium’s zLabs researchers.
- The malware targets 217 banking and cryptocurrency applications through fake login screens and credential theft.
- It can steal passwords, PINs, SMS messages, banking details, and crypto wallet information while blocking fraud alert calls.
- Researchers warn the threat represents a growing shift from simple credential theft to full device takeover.
What Happened?
Security researchers at Zimperium zLabs have uncovered a new Android banking trojan called Rokarolla that is capable of taking extensive control of infected smartphones. The malware is primarily distributed through malicious websites that impersonate popular apps such as TikTok and Google Chrome.
According to the researchers, Rokarolla targets 217 banking and cryptocurrency applications and uses a large arsenal of commands to steal sensitive information, manipulate devices, and help attackers conduct financial fraud without alerting victims.
🚨 Fake Play Protect app
— The Hacker News (@TheHackersNews) June 16, 2026
🎭 Hidden overlay
📱 217 apps targeted
⚙️ 137 commands
Researchers say Rokarolla steals PINs, SMS codes, and crypto payments by abusing Android Accessibility.
It spreads through fake #TikTok and Chrome sites.
Read ➝ https://t.co/ScVRIffo6G
How Rokarolla Infects Android Devices?
The infection chain starts with a malicious dropper that pretends to be Google Play Protect. Once installed, the dropper delivers the main malware payload and persuades users to grant Accessibility Services permissions.
These permissions give Rokarolla powerful capabilities that allow it to simulate taps, interact with apps, read screen content, and perform actions without the victim’s knowledge.
Researchers noted that the malware also requests access to SMS messages, notifications, and phone related permissions, expanding its ability to monitor and control infected devices.
Designed to Target Banking and Crypto Apps
One of Rokarolla’s most dangerous features is its ability to target a large number of financial applications. The malware communicates with its command and control infrastructure to retrieve a list of targeted banking and cryptocurrency apps.
When a victim launches one of the targeted applications, Rokarolla displays a fake login page over the legitimate app. These phishing overlays are downloaded from attacker controlled servers and stored locally on the device.
The technique allows attackers to collect:
- Usernames
- Passwords
- Banking credentials
- Credit card information
- Cryptocurrency account details
Researchers explained that the malware dynamically activates these overlays only when specific apps are opened, helping it avoid detection.
Stealing PINs, SMS Messages, and More
Rokarolla goes far beyond traditional banking malware.
The trojan can create a fake Android lock screen that closely resembles the legitimate interface. Victims who enter their PIN, password, or unlock pattern unknowingly send that information directly to attackers.
The malware is also capable of reading and sending SMS messages, allowing it to intercept one time passwords and authentication codes used by banks and financial services.
According to the report, “Any credentials entered by the user are captured by this deceptive UI and subsequently exfiltrated to attacker controlled infrastructure for further exploitation.“
Researchers also observed the malware harvesting contact lists, collecting WhatsApp related information, capturing keystrokes, and logging screen activity.
Advanced Evasion and Device Takeover Features
Rokarolla includes approximately 137 commands that provide attackers with extensive control over infected devices.
The malware can:
- Disable Google Play Protect
- Block incoming calls
- Mute device audio and vibrations
- Hide its application icon
- Keep the screen active indefinitely
- Replace copied cryptocurrency wallet addresses
- Capture screenshots for surveillance
Instead of relying on Android’s MediaProjection API, which typically displays recording notifications, Rokarolla uses a screenshot-based monitoring system. Images are captured, compressed, and sent to attacker servers without displaying visible recording indicators.
Researchers also found that the malware can request default SMS handler and call handler privileges. This allows it to intercept communications and block fraud warning calls from banks that might otherwise alert victims to suspicious transactions.
Researchers Warn of Growing Mobile Banking Threats
Security experts say Rokarolla reflects a broader evolution in Android malware. Rather than focusing solely on stealing credentials, attackers are increasingly seeking complete control of mobile devices.
Researchers said:
The malware also uses multiple fallback domains and can dynamically update its command and control infrastructure, helping maintain operations even if individual servers are taken offline.
SQ Magazine Takeaway
I believe Rokarolla is a clear example of how mobile banking malware is becoming far more sophisticated. This is no longer just about stealing a password or an SMS code. Attackers are attempting to control the entire smartphone because that device now holds access to banking accounts, cryptocurrency wallets, personal communications, and digital identities. Android users should be extremely cautious about installing apps from unofficial sources and should treat unexpected requests for Accessibility permissions as a serious warning sign.
