Rokarolla trojan turns Android devices into banking vaults

Rokarolla Android – A new Android banking trojan called Rokarolla is being deployed through fake Google Chrome and TikTok downloads, then gains deep control of infected devices. Researchers say it targets 217 banking and cryptocurrency apps using 137 commands, steals lock-screen

A phone that opens like a normal app can become something else in a matter of seconds. With Rokarolla, a new Android banking trojan, attackers are using fake “Chrome” and “TikTok” installers to lure victims into installing malware that then takes near-complete control of the device.

The campaign is built to hit financial targets directly. Rokarolla is designed to target 217 banking and cryptocurrency applications, using an extensive set of 137 commands. Once installed. it behaves like a dropper. impersonating Google Play Protect during the installation flow and offering users the chance to install “Chrome or TikTok. ” with the trojan baked into the package.

When the malicious app runs. it requests Accessibility service permissions and access to notifications. SMS. and calls—capabilities that. in combination. let it move beyond simple data theft and start controlling how a victim’s device behaves. Researchers at mobile security company Zimperium say it can take administrative control of a compromised device.

The malware’s first step in the communication chain is equally targeted. Rokarolla begins contact with its command-and-control (C2) server by sending a basic device profile. That profile includes the phone model, installed Android version, locale, display characteristics, battery level, storage capacity, and available RAM. Zimperium says this information is then used to generate a unique identifier for each victim in the Rokarolla campaign.

From there, the financial theft mechanism becomes straightforward. Rokarolla checks the infected device against a list of 217 targeted applications. If the device matches, the malware downloads the phishing payload associated with that app. When a victim opens one of the targeted apps. Rokarolla presents a fake login overlay to capture login credentials. credit card information. and other financial data.

Overlays are a central weapon in this operation. Zimperium says Rokarolla uses them not only to steal data. but also to capture the lock-screen PIN or pattern and operate the device while it is locked. The same technique is used to hide the malware’s activity and block user interaction by showing fake installation screens when needed.

It also pushes evasion hard. The malware can disable Google Play Protect, hide its application icon from the app drawer, silence audio and vibration, and keep the screen awake indefinitely—an approach that helps it remain visible to the attacker while staying out of the victim’s attention.

Zimperium created a GitHub repository that lists all 137 Rokarolla commands. Among the data-theft capabilities. Zimperium lists tools to steal SMS messages. extract contact information and WhatsApp contacts. capture keystrokes. record on-screen content via UI logging. copy and manipulate clipboard contents. and periodically take screenshots and upload them with timestamps. The command set also includes the ability to block incoming calls and bank fraud alerts.

Taken together, Zimperium says these abilities give Rokarolla operators near-complete administrative control over an infected Android device—capable not just of harvesting information, but of supporting advanced financial fraud.

Zimperium says it did not find Rokarolla on Google Play, the official repository for Android apps. The guidance from researchers is direct: users should avoid downloading APK files outside Google Play unless they explicitly trust the publisher. And because Rokarolla relies on Accessibility permissions. users are warned to be cautious when granting them. since they can be abused to bypass standard Android protections and gain elevated abilities to interact with the user interface or approve system prompts and actions that Android malware frequently seeks.

Rokarolla Android malware banking trojan crypto apps Accessibility permissions Google Play Protect command-and-control phishing overlays SMS theft keylogging cybersecurity