A new Android banking trojan called Rokarolla targets 217 banking and cryptocurrency apps and uses 137 remote commands to steal data, take over devices and redirect payments, according to a technical analysis by Zimperium’s zLabs.
KEY FACTS
- Targets 217 banking and cryptocurrency apps.
- Commands 137 remote commands give operators broad control.
- Delivery Malicious websites pose as popular apps such as TikTok and Chrome.
- Capabilities It can read SMS, capture PINs, rewrite the clipboard and disable Google Play Protect.
The malware begins with a dropper that pretends to be Google Play Protect and seeks Accessibility access before installing the payload. Once active, one command can switch off Play Protect, which reduces one of Android’s built-in defenses.
Rokarolla uses overlays to steal credentials. The report says it downloads fake HTML login pages for apps on its target list and displays them over real banking or wallet apps, capturing text typed by the victim, including card details. It also uses a fake lock screen to collect PINs, patterns or passwords.
The trojan can read and send SMS messages, which lets it intercept one-time codes used for bank logins and transfers. By setting itself as the default app for calls and texts, it can also block warning calls from a bank. It logs keystrokes, records the screen, scrapes contacts and notifications, and can replace copied crypto wallet addresses with attacker-controlled ones.
For surveillance, the malware uses Accessibility to take screenshots, compresses them as PNG files and sends them out one frame at a time. The report says this approach avoids the visible recording prompt that comes with MediaProjection screen casting.
Rokarolla also uses multiple fallback command-and-control domains and can be given new ones as needed. Zimperium did not identify a named group behind the malware, and the disclosure says the usual defenses are to install apps only from Google Play, keep Play Protect enabled and treat unexpected Accessibility requests as suspicious.
WHY IT MATTERS
Rokarolla shows how Android banking malware is combining credential theft, device takeover and payment redirection in one package. Because it relies on user-granted permissions and fake app installs, the main defenses remain cautious app installation and quick rejection of unusual access requests.