Security researchers at Zimperium’s zLabs have documented a new Android banking trojan, Rokarolla, that targets 217 banking and cryptocurrency apps and packs 137 remote commands.
Together, they give an operator near-total control of an infected phone: it lifts lock-screen PINs, reads and sends SMS, rewrites the clipboard to redirect crypto payments, and switches off Google Play Protect.
Rokarolla, named after its command-and-control servers, spreads through malicious websites posing as well-known apps such as TikTok and Chrome.
The first thing a victim installs is a dropper that pretends to be Google Play Protect. It uses that disguise to get the payload installed and grab Accessibility access. Once the malware is running, one of its commands turns Play Protect off.
The theft runs through overlays. Rokarolla pulls a target list from its server, and for each app flagged active, it downloads a fake HTML login page and stores it in a local database. When the victim opens the real banking or wallet app, the malware drops the fake page on top and captures everything typed into it, card details included.
The report shows one such fake page mimicking the banking app ‘imagin.’ A separate overlay mimics the Android lock screen to capture the PIN, pattern, or password, which lets the operator control the phone even while it is locked.
It reads every SMS on the device and can send messages itself, which is enough to grab the SMS one-time codes banks use to approve logins and transactions. By making itself the phone’s default app for texts and calls, it can also block incoming calls, so a warning call from the bank never gets through.
A keylogger and screen logger record what the user types and sees, and the trojan scrapes contacts and reads notifications. The clipboard gets rewritten silently, swapping in attacker wallet addresses so a copied crypto payment lands in the wrong account.
For surveillance, Rokarolla skips the usual MediaProjection screen casting, which throws a visible recording prompt, and instead takes screenshots through Accessibility, compresses them to PNG, and ships them out one frame at a time. That snapshot approach is simpler and quieter than the live hidden VNC seen in families like Klopatra.
The malware carries multiple fallback C2 domains and can be handed new ones on the fly, so pulling a single server does little. It’s 137 commands outnumber the 107 Zimperium counted in the HOOK trojan, and the playbook is the same one running through a wave of 2026 Android bankers: fake-app droppers, Accessibility abuse, and HTML overlays.
There is no patch to apply here. This is malware, not a product flaw, so the defenses are the standard ones for Android bankers. Install apps only from Google Play, leave Play Protect on, and treat any unexpected Accessibility request as a red flag, since that one permission drives the whole attack chain.
Zimperium says its own…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
