A newly discovered Android trojan named Rokarolla is designed to target 217 banking applications and has the ability to capture your PIN, SMS verification codes, and funds from cryptocurrency wallets.

      **TL;DR** Zimperium has discovered Rokarolla, an Android trojan that targets 217 banking apps and has 137 commands. It is capable of stealing PINs, intercepting SMS messages, and hijacking cryptocurrency transactions.

      Security researchers from Zimperium’s zLabs have identified a new Android banking trojan named Rokarolla, which can target 217 banking and cryptocurrency apps and execute 137 remote commands, allowing an attacker extensive control over an infected device. The malware steals lock-screen PINs, reads and sends SMS messages, alters the clipboard to divert cryptocurrency payments, and disables Google Play Protect.

      Rokarolla spreads via malicious websites that replicate popular apps like TikTok and Chrome. Victims first download a dropper disguised as Google Play Protect, which installs the main payload and secures Accessibility access. Once operational, one of the trojan's initial commands disables Play Protect, thereby eliminating the primary automated protection for most Android users.

      The malware conducts financial theft using overlays. Rokarolla retrieves a list of targets from its server, and for each active banking or wallet app, it downloads a fake HTML login page and saves it locally. When the user opens the genuine app, the malware overlays the counterfeit page and captures all keystrokes, including card details and login information.

      A distinct overlay simulates the Android lock screen to collect the device’s PIN, pattern, or password, enabling the operator to issue commands even when the phone is locked. The trojan also reads all SMS messages on the device and is capable of sending messages, allowing it to intercept one-time codes used by banks for transaction authorizations. By setting itself as the default handler for texts and calls, it can block incoming alerts, thus preventing fraud notifications from reaching the user.

      A keylogger and screen logger capture what the user types and sees, while the trojan extracts contacts and reads notifications. It also silently alters the clipboard, inserting attacker-controlled wallet addresses to ensure that copied cryptocurrency payments go to the wrong account. For surveillance purposes, Rokarolla avoids the typical MediaProjection screen-casting method, which prompts visible recording alerts, instead taking screenshots through Accessibility, compressing them into PNG format, and sending them one frame at a time.

      The malware maintains several backup command-and-control domains and can acquire new ones on demand, so taking down one server does not significantly hinder its operations. Its 137 commands surpass the 107 identified in the HOOK trojan, following a similar pattern employed by a wave of Android banking trojans in 2026: using fake-app droppers, abusing Accessibility, and utilizing HTML overlays. Similar techniques have already been discovered in fake streaming apps targeting 2026 World Cup fans.

      Zimperium has not linked Rokarolla to any specific threat group, and no independent analysis has yet been published, leaving the technical claims dependent on a single source. The report details the trojan's capabilities but does not provide confirmed infection numbers, so its actual prevalence remains unclear.

      There is no software patch since this issue arises from malware, not a vulnerability in a product. The recommended defenses against Android bankers include installing apps solely from Google Play, keeping Play Protect enabled, and considering any unexpected requests for Accessibility permissions as potential red flags, as this single permission facilitates the entire attack process. Zimperium states that its products can detect this malware family, and the indicators of compromise have been made available in its GitHub repository.