top of page

New Rokarolla Android Trojan Steals PINs and SMS Codes While Targeting 217 Banking and Crypto Apps

  • Jun 17
  • 3 min read

Key Findings


  • Zimperium's zLabs identified a new Android banking trojan named Rokarolla that targets 217 cryptocurrency and banking applications

  • The malware combines financial fraud with comprehensive device surveillance, featuring 137 remote commands for near-total phone control

  • Attack begins through malicious websites distributing fake versions of popular apps like TikTok and Chrome

  • Once installed, Rokarolla uses fake login overlays to steal credentials and manipulate transactions by rewriting clipboard data with attacker wallet addresses

  • The trojan disables Google Play Protect, intercepts SMS messages, captures lock-screen PINs, and silences incoming calls to prevent fraud alerts

  • No software patch exists as this is malware, not a product vulnerability


Background


Rokarolla takes its name from its command-and-control infrastructure, the server network threat actors use to send instructions to infected phones. The trojan represents an evolution in mobile threats, shifting from simple data theft toward complete device takeover. Security experts note this trend reflects broader 2026 Android banking trojan patterns combining fake-app droppers, accessibility service abuse, and HTML overlay attacks.


Attack Chain and Initial Compromise


The attack begins when users visit malicious websites like infocontablidades.it.com. These sites host malware disguised as legitimate applications such as TikTok or Google Chrome. When a victim downloads the file, a secondary dropper first executes itself, impersonating Google Play Protect security software. This social engineering trick convinces users to install the final malicious payload.


Once installed, Rokarolla requests permission to use Android Accessibility Services. The malware then hijacks these services to monitor the phone screen and track coordinates without user knowledge. It further requests to become the default SMS and call handler, enabling uninterrupted data interception.


Financial Theft Through Fake Overlays


Rokarolla employs sophisticated overlay techniques to steal financial data. When a victim opens a legitimate banking or cryptocurrency application, the malware queries its server for fake HTML-based phishing pages. It then displays these counterfeit login screens directly over the authentic apps, capturing all entered credentials including card details.


The trojan also overlays a fake PIN prompt on top of the phone's actual lock screen to steal passwords and unlock codes. This dual-layer deception gives attackers complete device access even while the phone remains locked.


Comprehensive Device Surveillance


The malware's 137 available commands provide operators with extensive control capabilities. It features an automated keylogger and UI logger that reads text messages, steals WhatsApp contact lists, tracks keystrokes, and captures screenshots. Through a snapshot-based surveillance mechanism called Pseudo-VNC, it monitors screens covertly by taking compressed PNG screenshots rather than using visible screen recording methods.


Rokarolla performs clipboard hijacking, silently replacing copied cryptocurrency wallet addresses with attacker addresses. This allows it to redirect crypto transfers without victim awareness, representing a particularly insidious form of financial manipulation.


Disabling Security Protections


To maintain its cover, Rokarolla actively disables real Google Play Protect security scans and blocks incoming phone calls using specific commands. This silences all device sounds, preventing warning alerts or fraud prevention calls from reaching victims. By keeping the device screen permanently on, it ensures background malicious actions continue uninterrupted even when the user isn't actively using the phone.


This comprehensive protection against security features renders multi-factor authentication nearly useless, as attackers can intercept SMS codes through message interception and answer verification calls before the legitimate user receives them.


Industry Perspective and Broader Threat Landscape


Mobile threat activity has surged dramatically, with 2024 recording over 4 million social engineering attacks targeting mobile devices and more than 33 million mobile malware and adware incidents blocked. Phishing attacks rose significantly during the same period. Both Android and iOS platforms face persistent threats from banking trojans, data-leaking SDKs, and insecure app practices.


Security leaders warn that employers and service providers create additional attack surface layers. Each validation request represents a new integration point, and organizations often lack cybersecurity maturity comparable to government systems, potentially becoming the weakest link in security chains.


Defense Recommendations


Experts recommend avoiding third-party links and pop-up ads for file downloads. Users should deny accessibility service requests from unverified applications and closely monitor unusual screen behavior such as devices refusing to turn off. Installation should be limited to Google Play, with Google Play Protect left enabled at all times. Zimperium's products detect the Rokarolla family, with indicators of compromise available in their GitHub repository.


Sources


  • https://hackread.com/rokarolla-android-trojan-crypto-and-banking-apps/

  • https://thehackernews.com/2026/06/new-rokarolla-android-malware-steals.html

  • https://www.reddit.com/r/pwnhub/comments/1u7fjpk/new_rokarolla_android_trojan_targets_217_banking

  • https://www.bleepingcomputer.com/news/security/new-rokarolla-android-malware-targets-217-banking-crypto-apps

  • https://x.com/Dinosn/status/2066916237373018561

  • https://thenextweb.com/news/rokarolla-android-banking-trojan-217-apps-device-takeover

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page