The Point: Rokarolla uses fake overlay windows, SMS interception, and clipboard manipulation to steal banking credentials and cryptocurrency addresses; no technical patch exists.
The newly identified Android trojan Rokarolla targets 217 banking and cryptocurrency applications and can gain nearly complete control over infected devices via 137 remote control commands. The malware is distributed through manipulated websites masquerading as popular apps like TikTok or Chrome.
Security firm Zimperium has analyzed and documented the Android trojan Rokarolla. The malware is distributed via fraudulent landing pages that mimic well-known applications. The initial infection chain uses malware disguised as Google Play Protect. Once installed, it requests permissions for Android accessibility services – a critical escalation, as this permission enables loading additional malware and disabling the genuine Play Protect function.
Data theft works primarily through fake user interfaces. Rokarolla retrieves a list of target applications from the control server and overlays a manipulated HTML login mask when a banking or cryptocurrency app is opened. This intercepts passwords and credit card data. A documented example is the banking app imagin. Additionally, Rokarolla simulates a lock screen to extract PINs or unlock patterns – even when the device is locked. The trojan reads and sends SMS messages, blocks warning calls from banks, and logs keyboard inputs and screen contents via keyloggers and screen loggers. A particularly critical function: whenever a cryptocurrency address is copied to the clipboard, Rokarolla replaces it with an attacker’s address and redirects transfers. For espionage, the program discreetly creates individual PNG screenshots via accessibility services instead of obvious video recordings.
The malware communicates with multiple decentralized control servers and receives new server domains during operation – a blocked server minimally impacts functionality. With 137 remote control commands, Rokarolla far exceeds comparable trojans such as HOOK. Because it is pure malware rather than a product vulnerability, no technical software patch exists. Zimperium recommends CISOs obtain applications exclusively from the official Google Play Store, keep Play Protect active, and critically evaluate and reject requests for accessibility service permissions.
Source: www.it-daily.net · Published June 20, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrasing and classification via Lumi News Pipeline v1.7.1.