Rokarolla is raising fresh concern across the mobile-finance sector after researchers documented an Android banking trojan built to steal credentials from 217 banking and cryptocurrency apps while giving attackers wide control over infected phones.The malware, named after its command-and-control infrastructure, is being distributed through malicious websites that imitate well-known apps, including TikTok, Google Chrome and Google Play Protect. The campaign relies less on exploiting a software flaw than on persuading users to install a fake app and grant powerful permissions, especially Android Accessibility access, a feature designed to help people with disabilities navigate devices.
Once installed, Rokarolla uses a dropper that poses as a trusted security or update component before installing the main payload. The second stage requests access to SMS, notifications and call-handling functions, then uses Accessibility to read on-screen content, perform automated gestures, display overlays and hide background activity.
The trojan’s scale lies in a command set of 137 functions that allow operators to steal lock-screen PINs, patterns and passwords, extract contacts, read and send SMS messages, monitor notifications, capture keystrokes, take screenshots and manipulate the clipboard. Those capabilities can support account takeover and transaction fraud, particularly where finance apps still rely on SMS-based one-time passcodes.
Rokarolla’s banking theft mechanism is built around overlay fraud. The malware checks which apps are installed on the device and compares them with a target list supplied by its remote server. When a victim opens a flagged banking or cryptocurrency app, the trojan can display a fake HTML login screen over the genuine app and capture credentials, card information or other sensitive data.
The same approach extends to device-unlock credentials. Rokarolla can show a screen that mimics Android’s lock interface and capture the user’s PIN, pattern or password. That information gives attackers a way to execute commands even when the handset is locked, weakening a barrier that usually limits post-infection activity.
The malware also targets communications that could interrupt fraud. It can request to become the default SMS and call handler, enabling it to read messages, send texts from the victim’s phone and block calls. This can stop fraud-warning calls from banks, while SMS interception can expose one-time codes used to approve logins, transfers and wallet actions.
A further risk for cryptocurrency users comes from clipboard manipulation. Rokarolla can silently replace copied wallet addresses with attacker-controlled strings, a tactic that can redirect funds even when the user believes they are pasting a verified destination address. It can also take periodic screenshots through Accessibility-driven methods and send them to its servers with timestamps.
The trojan’s persistence features are notable. It can hide its app icon, mute audio and vibration, force the screen to remain awake, display full-screen loading or update overlays, and attempt to disable Google Play Protect. Multiple fallback command-and-control domains and remote configuration updates make takedown harder because blocking one server may not fully disrupt the operation.
The discovery fits a broader pattern in Android banking malware, where fake app downloads, staged installation flows and Accessibility abuse have become central to fraud campaigns. Earlier 2026 tracking of separate Android banking campaigns found hundreds of targeted apps across finance, cryptocurrency and social platforms, with operators using fake recruitment pages, streaming offers and counterfeit update prompts to coax users into sideloading malicious APK files.
Platform defences have become more aggressive, but Rokarolla shows why attackers continue to exploit sideloading and permission abuse. Google Play Protect now scans more than 350 billion Android apps daily, and its real-time scanning identified more than 27 million malicious apps from outside Google Play in 2025. Enhanced fraud protection expanded to 185 markets and blocked 266 million risky installation attempts, yet deceptive web distribution remains a major route for malware that never enters the official store.
There is no indication so far that Rokarolla has been distributed through Google Play, nor has the campaign been publicly tied to a named criminal group. The available evidence points to a financially motivated operation focused on mobile banking and cryptocurrency theft, using social engineering and on-device control rather than a single Android vulnerability.
Topics
Technology