Security researchers at Zimperium’s zLabs have unveiled a sophisticated new Android banking trojan, Rokarolla, which has the capability to target an impressive 217 banking and cryptocurrency applications while boasting a staggering 137 remote commands. This malware provides its operators with extensive control over infected devices, enabling them to extract lock-screen PINs, read and send SMS messages, manipulate the clipboard to reroute cryptocurrency payments, and disable Google Play Protect.
Mechanism of Infection
Rokarolla derives its name from its command-and-control servers and spreads through deceptive websites masquerading as popular applications like TikTok and Chrome. Victims unwittingly install a dropper that impersonates Google Play Protect, which facilitates the installation of the malware payload and secures Accessibility access. Once operational, one of its commands disables Play Protect, leaving the device vulnerable.
Stealthy Data Theft
The trojan employs overlay techniques for data theft. It retrieves a target list from its server and, for each active app, downloads a counterfeit HTML login page, storing it in a local database. When a victim accesses their legitimate banking or wallet application, the malware overlays the fake page, capturing everything typed, including sensitive card details.
For instance, one documented fake page imitates the banking app ‘imagin.’ Additionally, an overlay mimicking the Android lock screen is utilized to capture PINs, patterns, or passwords, granting operators control even when the device is locked.
Comprehensive Surveillance Capabilities
Rokarolla’s capabilities extend to reading every SMS on the device and sending messages autonomously, allowing it to intercept SMS one-time codes that banks use for login and transaction approvals. By setting itself as the default app for texts and calls, it can block incoming calls, ensuring that any alerts from the bank go unnoticed.
The malware also incorporates a keylogger and screen logger to document user inputs and screen activity. Furthermore, it scrapes contacts and reads notifications, while the clipboard is silently rewritten to substitute attacker wallet addresses, diverting copied crypto payments to unintended accounts.
Advanced Surveillance Techniques
In terms of surveillance, Rokarolla avoids the conventional MediaProjection screen casting, which typically triggers a visible recording prompt. Instead, it captures screenshots through Accessibility, compresses them into PNG format, and transmits them one frame at a timeāan approach that is both simpler and more discreet than the live hidden VNC methods employed by other malware families like Klopatara.
Resilience and Defense Strategies
The malware is equipped with multiple fallback command-and-control domains and can receive new ones dynamically, rendering the takedown of a single server ineffective. With 137 commands at its disposal, Rokarolla surpasses the 107 commands identified in the HOOK trojan, following a similar playbook that has emerged in the wave of Android banking malware in 2026: fake-app droppers, Accessibility exploitation, and HTML overlays.
Importantly, there is no patch available for this malware, as it is not a product flaw but rather a malicious software issue. Users are advised to adhere to standard defenses against Android banking threats: install applications solely from Google Play, keep Play Protect enabled, and treat any unexpected Accessibility requests as potential red flags, given that this permission is crucial to the attack chain.
Zimperium has confirmed that its products can detect this malware family, and the indicators of compromise are available in its GitHub repository. While Zimperium has not linked Rokarolla to any specific group, the sophistication of its design indicates a clear intent: to circumvent the very protections that users are advised to rely upon, from Play Protect to the lock screen.
