A recently discovered Android trojan named Rokarolla is designed to target 217 banking applications and has the capability to steal your PIN, SMS verification codes, and funds from cryptocurrency wallets.

      **TL;DR**

      Zimperium has discovered Rokarolla, an Android trojan affecting 217 banking apps with 137 remote commands, enabling extensive control over infected devices. It can steal PINs, intercept SMS messages, and redirect cryptocurrency payments.

      Researchers at Zimperium’s zLabs have uncovered a new Android banking trojan named Rokarolla, which targets 217 banking and cryptocurrency applications while featuring 137 remote commands that provide nearly complete control of an infected device. This malware, named after its command-and-control structure, is capable of stealing lock-screen PINs, accessing and sending SMS messages, altering the clipboard to reroute cryptocurrency payments, and disabling Google Play Protect.

      Rokarolla propagates through harmful websites posing as popular apps like TikTok and Chrome. Victims first install a dropper disguised as Google Play Protect, which facilitates the installation of the main malware payload and secures Accessibility access. One of its initial commands disables Play Protect, eliminating a key defense mechanism for most Android users.

      The trojan conducts financial theft using overlays. It retrieves a target list from its server and, for each active banking or wallet app, it downloads a counterfeit HTML login page and saves it in a local database. When the victim launches the legitimate app, the malware displays the fake page on top, capturing everything entered, including card details and login information.

      Additionally, a separate overlay mimics the Android lock screen to acquire the device's PIN, pattern, or password, allowing the operator to execute commands even when the phone is locked. The trojan monitors all SMS on the device and can send messages, effectively intercepting one-time codes used by banks for transaction authorizations. By setting itself as the default handler for texts and calls, it can block incoming calls, preventing fraud alerts from reaching the user.

      A keylogger and screen logger track user input and visual content, while the trojan collects contacts and reads notifications. It silently rewrites the clipboard to replace addresses with those controlled by the attacker, ensuring that copied cryptocurrency payments go to the wrong account. For surveillance, Rokarolla bypasses the typical MediaProjection screen-casting method, which displays a recording indication, and instead captures screenshots through Accessibility, compresses them to PNG format, and transmits them one frame at a time.

      The malware keeps multiple backup command-and-control domains and can dynamically receive new ones, meaning that taking down a single server has minimal impact on its operations. With 137 commands, it surpasses the 107 observed in the HOOK trojan, and it employs the same tactics seen in a recent wave of Android banking trojans: fake-app droppers, Accessibility exploitation, and HTML overlays. Similar techniques have already been identified in fake streaming applications targeting fans of World Cup 2026.

      Zimperium has not linked Rokarolla to a specific threat group, and no independent analysis has yet been published, making the technical assertions rely on a single source. The company’s report focuses on documented capabilities rather than confirmed infection numbers, leaving the actual extent of infections unclear.

      Since this is malware rather than a product flaw, there are no software patches available. Standard defenses against Android banking trojans apply: download apps exclusively from Google Play, keep Play Protect enabled, and regard any unexpected requests for Accessibility permissions as a warning sign, as that permission is central to the attack. Zimperium claims its products can detect this malware family, and indicators of compromise are made available in its GitHub repository.