Rokarolla Banking Trojan

Cybersecurity researchers have identified a new Android banking trojan known as Rokarolla, named after its Command-and-Control (C2) infrastructure. The malware is designed to target an extensive range of financial services, with the ability to attack 217 banking and cryptocurrency applications. Equipped with 137 remote commands, Rokarolla provides cybercriminals with an exceptional level of control over compromised devices.

Once installed, the malware can remove lock-screen protections, intercept and send SMS messages, manipulate clipboard contents to redirect cryptocurrency transfers, and even disable Google's built-in security mechanisms.

Disguised Distribution Through Fake Applications

Rokarolla is primarily distributed through malicious websites masquerading as legitimate and popular applications, including TikTok and Google Chrome.

Victims initially download a dropper application that impersonates Google Play Protect. By exploiting this trusted appearance, the dropper persuades users to grant Accessibility Service permissions and facilitates the installation of the malicious payload. After execution, one of Rokarolla's commands immediately disables Play Protect, eliminating an important layer of Android security.

Overlay Attacks Designed to Steal Credentials

Credential theft is carried out through sophisticated overlay attacks. Rokarolla retrieves a list of targeted applications from its command server and downloads fraudulent HTML login pages corresponding to those apps. These counterfeit interfaces are stored locally and displayed whenever a victim opens a legitimate banking or cryptocurrency application.

The fake screens are designed to capture all information entered by the user, including usernames, passwords, and payment card details. Researchers observed one example that convincingly imitated the banking application 'imagin.'

The malware also deploys a counterfeit Android lock-screen overlay capable of harvesting PINs, patterns, and passwords. This capability allows attackers to maintain access and control even when the device is locked.

Credential Theft, Surveillance, and Financial Fraud in One Package

Rokarolla combines multiple surveillance and theft mechanisms to maximize data collection and financial gain:

• Full SMS monitoring and message-sending capabilities enable the interception of one-time passcodes used for banking authentication and transaction approvals.
• By assigning itself as the device's default messaging and calling application, the malware can block incoming calls, potentially preventing fraud warnings from reaching victims.
• Integrated keylogging and screen-logging functions capture user activity, while contacts and notifications are continuously harvested.
• Clipboard manipulation silently replaces copied cryptocurrency wallet addresses with attacker-controlled addresses, diverting funds without the victim's knowledge.

Stealthy Monitoring Techniques Evade Detection

Unlike many Android malware families that rely on MediaProjection-based screen recording, Rokarolla adopts a quieter surveillance strategy. Instead of triggering visible recording notifications, it captures screenshots through Accessibility Services, compresses them into PNG files, and transmits them individually to its operators.

This approach reduces the likelihood of detection while still providing attackers with a detailed view of user activity. Compared to hidden VNC implementations used by malware families such as HOOK and Klopatra, Rokarolla's screenshot-based monitoring is both simpler and more discreet.

Resilient Infrastructure and an Expanding Malware Trend

The malware is built to withstand disruption efforts. Multiple backup command-and-control domains are embedded within the code, and operators can dynamically assign additional servers whenever needed. As a result, disabling a single command server has little impact on the overall operation.

Its extensive command set exceeds the 107 commands previously documented in the HOOK banking trojan, reflecting the growing sophistication of Android banking malware observed throughout 2026. The attack methodology follows a familiar pattern that has become increasingly common:

• Distribution through fake application installers.
• Abuse of Accessibility Services for privilege escalation and device control.
• Use of HTML-based overlays to harvest credentials and sensitive information.

Defensive Measures Remain Critical

Because Rokarolla is malware rather than a software vulnerability, there is no security patch capable of eliminating the threat. Protection depends on following established Android security practices.

Applications should only be installed from the official Google Play Store, Google Play Protect should remain enabled at all times, and any unexpected request for Accessibility permissions should be treated as a significant warning sign. Accessibility access serves as the foundation of Rokarolla's attack chain and enables many of its most dangerous capabilities.

Attribution Remains Unknown

At the time of reporting, Rokarolla has not been linked to any publicly identified threat actor or cybercriminal group. Nevertheless, its design clearly demonstrates a deliberate effort to bypass the very protections Android users are encouraged to trust, including Play Protect, lock-screen safeguards, and other built-in security controls.

The malware's capabilities highlight the continuing evolution of Android banking trojans and the increasing sophistication of financially motivated mobile threats.