Security researchers have discovered a new Android banking trojan called Rokarolla that targets 217 banking and cryptocurrency applications and can take near-complete control of infected devices.
Researchers at mobile security company Zimperium said the malware is being distributed through malicious websites that impersonate legitimate download pages for Google Chrome and TikTok.
During installation, the malicious app poses as Google Play Protect, Android’s built-in security system, and tricks users into installing what appears to be Chrome or TikTok. In reality, the apps contain the Rokarolla malware.
Once installed, Rokarolla requests several high-risk permissions, including access to Android Accessibility services, notifications, SMS messages and phone calls.
After gaining these permissions, the malware connects to a command-and-control server and sends basic information about the infected device, including its model, Android version, language settings, battery level, storage capacity and available memory. According to Zimperium, this information is used to generate a unique identifier for each victim.
The primary goal of Rokarolla is to steal financial information. The malware checks whether any of the 217 targeted banking or cryptocurrency apps are installed on the device and downloads phishing overlays designed for those specific applications.
When a targeted app is opened, Rokarolla displays a fake login screen to capture usernames, passwords, credit card details and other sensitive information.
The malware also uses overlay attacks to steal lock-screen PINs and patterns, allowing attackers to operate the device even when it is locked.
In addition, Rokarolla can disable Google Play Protect, hide its icon from the app drawer, silence audio alerts and keep the screen active indefinitely to avoid detection.
According to Zimperium, the malware supports 137 commands that give attackers extensive control over compromised devices. These capabilities include stealing SMS messages, extracting contact lists and WhatsApp contacts, recording keystrokes, monitoring on-screen activity, manipulating clipboard contents, blocking incoming calls and banking fraud alerts, and periodically capturing screenshots.
The combination of these features gives attackers near-total administrative control over infected devices and enables advanced financial fraud.
Zimperium said it has not found Rokarolla on the Google Play Store. Users are advised to avoid downloading Android apps from unofficial websites or third-party app stores unless they fully trust the source.
Security experts also recommend being cautious when granting Accessibility permissions, as cybercriminals frequently abuse these features to bypass Android security protections and gain elevated access to devices.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
