A newly identified Android banking trojan, dubbed Rokarolla, has been discovered targeting 217 banking and cryptocurrency applications. This sophisticated malware is equipped with 137 remote commands, granting attackers extensive control over infected devices. Its capabilities include extracting lock-screen PINs, intercepting and sending SMS messages, modifying clipboard contents to redirect cryptocurrency transactions, and disabling Google Play Protect.
Rokarolla propagates through malicious websites that masquerade as popular applications like TikTok and Chrome. Upon installation, the initial dropper application poses as Google Play Protect to deceive users into granting it the necessary permissions. This deceptive approach facilitates the installation of the primary malware payload and secures access to Android’s Accessibility services. Once operational, one of Rokarolla’s commands disables Play Protect, further compromising device security.
Overlay Attacks and Credential Theft
The malware employs overlay attacks to harvest sensitive user information. It retrieves a list of target applications from its command-and-control (C2) server and, for each active app, downloads a counterfeit HTML login page stored locally. When a user launches a legitimate banking or cryptocurrency app, Rokarolla superimposes the fake login page, capturing all entered credentials, including card details. For instance, it has been observed mimicking the login interface of the ‘imagin’ banking app.
Additionally, Rokarolla can overlay a fake Android lock screen to capture PINs, patterns, or passwords, enabling attackers to unlock and control the device remotely. The malware also intercepts all SMS messages, allowing it to obtain one-time passwords (OTPs) sent by banks for transaction verification. By setting itself as the default application for SMS and calls, Rokarolla can block incoming calls, preventing users from receiving alerts or warnings from their financial institutions.
Advanced Surveillance and Evasion Techniques
Rokarolla incorporates keylogging and screen logging functionalities to monitor user inputs and on-screen activities. It can access contact lists and read notifications, further expanding its surveillance capabilities. Notably, the malware manipulates the clipboard by replacing copied cryptocurrency wallet addresses with those controlled by the attackers, redirecting funds without user awareness.
To avoid detection, Rokarolla captures screenshots via Accessibility services instead of using the MediaProjection API, which would display a recording prompt. This method involves taking individual screenshots, compressing them to PNG format, and transmitting them discreetly, making it less conspicuous than live screen recording techniques used by other malware families.
The malware maintains multiple fallback C2 domains and can receive new ones dynamically, ensuring persistent communication channels even if some servers are taken down. With 137 commands at its disposal, Rokarolla surpasses the capabilities of previous trojans like HOOK, which had 107 commands. This extensive command set aligns with a broader trend observed in 2026, where Android banking malware increasingly utilizes fake app droppers, abuses Accessibility services, and employs HTML overlays to execute attacks.
Given that Rokarolla exploits user trust and system permissions rather than specific software vulnerabilities, traditional patching is ineffective. Users are advised to install applications exclusively from the Google Play Store, keep Play Protect enabled, and exercise caution with unexpected requests for Accessibility permissions, as these are often exploited in such attack chains.
The emergence of Rokarolla underscores the evolving sophistication of Android banking malware. Its comprehensive control over infected devices and ability to circumvent standard security measures highlight the need for heightened vigilance among users. As attackers continue to refine their methods, adopting proactive security practices and staying informed about emerging threats are crucial steps in safeguarding personal and financial information.
