Security researchers have identified a new Android banking trojan known as Rokarolla that is capable of targeting hundreds of financial and cryptocurrency applications while providing attackers with extensive control over infected devices. The malware was discovered by researchers at Zimperium’s zLabs, who found that Rokarolla is designed to target 217 banking and cryptocurrency applications and includes a vast command structure consisting of 137 remote instructions. According to researchers, the malware can steal lock screen PINs, intercept SMS verification codes, manipulate cryptocurrency transactions, collect sensitive information, and disable built in Android security protections. The threat demonstrates the continued evolution of mobile banking malware, with attackers increasingly employing sophisticated social engineering techniques and system level permissions to bypass security controls and gain access to financial information. Researchers stated that the malware derives its name from the command and control infrastructure used to manage infected devices and distribute malicious instructions.
Rokarolla primarily spreads through fraudulent websites that impersonate popular and trusted applications, including well known services such as TikTok and Google Chrome. Victims who visit these websites are encouraged to download what appears to be a legitimate application. The first stage of the attack involves a dropper application disguised as Google Play Protect, Google’s built in mobile security feature. By presenting itself as a trusted security tool, the malware attempts to gain the user’s confidence and secure elevated permissions through Android’s Accessibility services. Once granted these permissions, the malware deploys its primary payload and immediately gains extensive visibility and control over device activity. Researchers noted that one of Rokarolla’s commands is specifically designed to disable Google Play Protect after installation, removing a key layer of protection that could otherwise detect suspicious behavior. The malware then establishes communication with attacker controlled infrastructure and downloads a list of targeted applications along with customized phishing templates designed to capture sensitive user information.
The primary credential theft mechanism relies on overlay attacks. Rokarolla downloads fraudulent login pages for targeted banking and cryptocurrency applications and stores them locally on the device. When a victim launches a legitimate banking or wallet application, the malware places a counterfeit login screen over the genuine application interface. Users unknowingly enter usernames, passwords, account information, payment card details, and other sensitive data directly into the attacker’s phishing pages. Researchers observed examples of overlays designed to mimic legitimate banking applications as well as Android lock screens. By presenting fake lock screen prompts, Rokarolla can capture device PINs, passwords, and unlock patterns, allowing attackers to gain access even when the device is locked. The malware also monitors every SMS message received on the device and can send messages on behalf of the victim. This capability enables attackers to intercept one time passwords and transaction verification codes commonly used by financial institutions. Additionally, by setting itself as the default application for calls and messages, the malware can block incoming communications, potentially preventing banks from contacting customers about suspicious activity.
Researchers found that Rokarolla extends beyond credential theft and financial fraud by incorporating surveillance and remote control features. The malware contains keylogging functionality, screen monitoring capabilities, contact harvesting tools, and notification collection mechanisms that provide attackers with a detailed view of user activity. It can also silently alter clipboard contents, replacing copied cryptocurrency wallet addresses with attacker controlled alternatives to redirect digital asset transfers without the victim’s knowledge. Instead of relying on traditional screen recording methods that generate visible notifications, Rokarolla captures screenshots through Accessibility services and transmits them to remote servers in compressed image format. Security analysts noted that the malware maintains resilience through multiple backup command and control domains and can receive updated server addresses dynamically, making disruption efforts more difficult. Zimperium researchers stated that Rokarolla reflects a broader trend observed throughout 2026, where Android banking malware increasingly relies on fake application installers, Accessibility abuse, phishing overlays, and credential theft techniques to bypass user protections. Security experts recommend downloading applications only from trusted sources such as Google Play, keeping Google Play Protect enabled, and treating unexpected requests for Accessibility permissions as a significant warning sign, as this permission plays a central role in enabling the malware’s capabilities.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
