Rokarolla Android Trojan Targets 217 Banking and Crypto Apps With 137 Commands

Security researchers at Zimperium's zLabs have uncovered a new Android banking trojan dubbed Rokarolla, named after its command-and-control infrastructure. The malware targets 217 banking and cryptocurrency applications and exposes 137 remote commands to its operators, granting near-total control over infected devices. Rokarolla lifts lock-screen PINs, reads and sends SMS messages, rewrites the clipboard to redirect crypto payments, and disables Google Play Protect. Distribution occurs through malicious websites impersonating popular apps such as TikTok and Chrome, where victims are first tricked into installing a dropper disguised as Google Play Protect itself.

Once installed, the dropper requests Accessibility access, the single permission that powers the entire attack chain. Rokarolla then uses HTML overlay attacks to steal credentials, downloading fake login pages for each targeted app and displaying them on top of legitimate banking or wallet applications when the victim opens them. A separate overlay mimics the Android lock screen to capture PINs, patterns, and passwords, allowing operators to unlock the device even when it is secured. The trojan reads all SMS on the device and can send messages independently, which is sufficient to intercept the one-time passcodes banks use to authorize logins and transactions. By becoming the default app for calls and texts, it can also block incoming calls from the bank.

Beyond credential theft, Rokarolla includes a keylogger, screen logger, contact scraper, and notification reader. Its clipboard hijacker silently swaps copied crypto wallet addresses with attacker-controlled ones, redirecting payments. For surveillance, the malware avoids the visible MediaProjection casting prompt and instead takes screenshots through Accessibility services, compressing them to PNG and exfiltrating them one frame at a time. With multiple fallback C2 domains and the ability to receive new ones on the fly, taking down a single server has limited effect. The playbook mirrors other 2026 Android banking families like HOOK and Klopatra: fake-app droppers, Accessibility abuse, and HTML overlays.

Because Rokarolla is malware rather than a product vulnerability, there is no patch to apply. Defenders are advised to install apps only from Google Play, leave Google Play Protect enabled, and treat any unsolicited Accessibility prompt as a critical red flag. Users should also verify their credentials have not been exposed using an email breach checker, strengthen authentication with a reliable password checker, and confirm their device is not leaking identifying data via a browser fingerprint test. Zimperium confirms its products detect the Rokarolla family.