A newly identified Android banking trojan known as Rokarolla is targeting a broad range of financial applications, including 217 banking and cryptocurrency platforms. The malware is designed to harvest sensitive information, intercept communications, and evade detection through a variety of advanced techniques.
According to an in-depth analysis by Zimperium’s zLabs team, Rokarolla spreads primarily through malicious websites that impersonate legitimate applications such as TikTok and Google Chrome. One documented distribution source is a fraudulent site hosting malware disguised as trusted apps. Victims initially download a dropper application that masquerades as Google Play Protect, a tactic intended to lower suspicion and encourage installation.
Once installed, the dropper’s primary objective is to deliver a second-stage payload and obtain access to Android’s Accessibility Services. Granting these permissions effectively gives the malware extensive control over the device. It can simulate user input, interact with app interfaces, inject malicious overlays, and execute automated actions without requiring further user interaction. One of its built-in commands disables Google Play Protect entirely, removing the very security measure it imitated during installation.
The malware retrieves its list of targeted applications dynamically from its command-and-control (C2) server. For each targeted app, it downloads counterfeit login pages and stores them locally. When a user opens a legitimate banking or cryptocurrency app, Rokarolla overlays the fake interface to capture credentials in real time including login details and payment information.
Rokarolla also targets the device’s lock screen, deploying a fraudulent PIN entry interface that closely mimics the legitimate Android lock screen. Any credentials entered are immediately transmitted to attacker-controlled servers, allowing threat actors to retain access even if the device is locked later.
Beyond credential theft, Rokarolla enables attackers to actively control infected devices. SMS functionality is heavily exploited: the malware can read incoming messages, send messages on behalf of the user, and intercept one-time passcodes used for authentication. It also attempts to register itself as the default call handler, enabling it to silently block incoming calls including fraud alerts from financial institutions. To further avoid detection, it suppresses all device audio and vibration alerts during malicious activity.
The malware also manipulates clipboard data. When users copy cryptocurrency wallet addresses, Rokarolla replaces them with attacker-controlled addresses, potentially redirecting funds without the user’s knowledge. Meanwhile, a built-in keylogger and screen-monitoring components capture both typed input and on-screen data. It can even extract information from messaging apps like WhatsApp by analyzing UI elements displayed on the screen.
For surveillance, Rokarolla avoids standard Android screen-recording methods that might alert users. Instead, it captures periodic screenshots, compresses them, and sends them to its C2 servers. Each capture cycle is followed by cleanup routines, allowing the malware to operate discreetly without leaving noticeable traces.
The malware’s infrastructure is designed for resilience. It includes multiple hardcoded backup domains and can receive updated server addresses dynamically, ensuring continued operation even if some infrastructure is taken offline. Communications are routed through attacker-controlled servers using uncommon ports and consistent URI patterns.
Unlike vulnerabilities tied to specific software flaws, Rokarolla does not rely on an exploit that can be patched. Instead, it leverages social engineering and abuse of Android permissions. As a result, mitigation depends heavily on user awareness and security best practices. Experts strongly recommend installing apps only from trusted sources like Google Play, carefully reviewing permission requests especially Accessibility Services and avoiding granting applications control over SMS or call handling unless absolutely necessary.
Zimperium reports that Rokarolla employs sophisticated evasion, persistence, and stealth mechanisms, allowing it to operate undetected for extended periods. Its ability to combine credential theft, device control, and silent operation makes it a highly capable threat in the mobile malware landscape.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
