Security researchers at Zimperium’s zLabs have uncovered a powerful new Android banking trojan called Rokarolla, capable of targeting hundreds of banking and cryptocurrency applications while giving cybercriminals extensive control over infected devices.
According to the researchers, Rokarolla can target 217 banking and crypto apps and supports an impressive 137 remote commands, making it one of the most feature-rich Android banking malware families identified in recent years.
How Rokarolla Spreads
The malware is distributed through malicious websites that impersonate popular applications such as TikTok and Google Chrome. Victims are tricked into downloading what appears to be a legitimate application, but the initial file is actually a dropper designed to install the malware.
To increase its chances of success, the dropper disguises itself as Google Play Protect, Android’s built-in security feature. This deceptive tactic helps the malware gain trust and request powerful Accessibility Service permissions.
Once the malware is installed and granted the required permissions, it can execute a command that disables Google Play Protect, removing one of Android’s primary security defenses.
Advanced Banking Credential Theft
Rokarolla relies heavily on overlay attacks to steal sensitive information.
The malware downloads a list of targeted applications from its command-and-control (C2) server. For each supported app, it retrieves a fake login page and stores it locally on the device.
When a victim launches a legitimate banking or cryptocurrency application, Rokarolla displays the counterfeit login page over the real app, tricking users into entering their credentials.
These phishing overlays can capture:
- Usernames and passwords
- Banking credentials
- Credit and debit card information
- Cryptocurrency wallet details
- Authentication data
Researchers observed one overlay specifically designed to mimic the login page of the popular banking app imagin.
Lock Screen Theft and Device Control
Beyond banking credential theft, Rokarolla can also compromise Android lock screens.
The malware displays fake lock-screen overlays that imitate Android’s authentication interface, allowing attackers to capture:
- PIN codes
- Unlock patterns
- Passwords
By stealing lock-screen credentials, cybercriminals can gain access to the device even when it is locked.
SMS Interception and Call Blocking
Rokarolla has extensive messaging capabilities that enable attackers to bypass two-factor authentication (2FA) mechanisms.
The malware can:
- Read all incoming SMS messages
- Send SMS messages remotely
- Intercept one-time passwords (OTPs)
- Monitor banking verification codes
Additionally, Rokarolla can set itself as the device’s default messaging and calling application. This allows it to block incoming calls, potentially preventing victims from receiving fraud alerts or verification calls from their banks.
Clipboard Hijacking Targets Cryptocurrency Users
One of Rokarolla’s most dangerous features is clipboard manipulation.
When users copy a cryptocurrency wallet address, the malware silently replaces it with an attacker-controlled wallet address. As a result, funds intended for a legitimate recipient can be redirected to cybercriminals without the victim noticing.
This technique has become increasingly common among malware targeting cryptocurrency holders.
Keylogging and Silent Surveillance
The trojan includes multiple surveillance capabilities designed to monitor user activity.
Its features include:
- Keylogging
- Notification monitoring
- Contact harvesting
- Screen activity tracking
- Screenshot collection
Unlike some Android malware families that use screen-casting technologies requiring visible recording notifications, Rokarolla takes a stealthier approach.
Instead of live screen streaming, it uses Accessibility Services to capture screenshots, compresses them into PNG files, and sends them to its operators frame by frame. This method reduces the likelihood of detection while still providing attackers with detailed visibility into user activity.
Resilient Command-and-Control Infrastructure
Rokarolla employs multiple backup command-and-control servers to maintain communication with infected devices.
If one server is taken offline, operators can quickly switch to alternative domains or deploy new servers dynamically. This redundancy makes disruption efforts significantly more challenging.
Researchers noted that Rokarolla’s 137 remote commands exceed the 107 commands previously observed in the HOOK banking trojan, highlighting the malware’s advanced capabilities and flexibility.
Part of a Growing Android Banking Malware Trend
The attack techniques used by Rokarolla align with broader trends seen across Android banking malware campaigns in 2026.
Common tactics include:
- Fake application installers
- Accessibility Service abuse
- Banking overlays
- Credential theft
- SMS interception
- Remote device control
These methods continue to evolve as cybercriminals seek to bypass Android’s built-in security protections.
How Users Can Protect Themselves
Since Rokarolla is malware rather than a vulnerability in Android itself, there is no software patch available to eliminate the threat.
Security experts recommend the following precautions:
- Download apps only from the Google Play Store
- Keep Google Play Protect enabled
- Avoid installing applications from unknown websites
- Be cautious of unexpected Accessibility Service requests
- Regularly review installed apps and permissions
- Use mobile security solutions capable of detecting banking malware
Researchers emphasize that Accessibility permissions play a central role in Rokarolla’s attack chain. Any application requesting such access without a clear reason should be treated with suspicion.
Final Thoughts
Rokarolla demonstrates how Android banking malware continues to evolve into increasingly sophisticated threats. By combining credential theft, lock-screen bypass techniques, SMS interception, clipboard hijacking, and extensive remote control capabilities, the malware gives attackers near-complete control over infected devices.
While Zimperium has not attributed Rokarolla to any known threat group, the malware’s advanced feature set and ability to undermine core Android security protections make it a significant threat to banking and cryptocurrency users worldwide.
