Rokarolla Trojan: New Android Malware Targets 217 Banking Apps

It’s a nightmare scenario for anyone who banks on their phone. A new Android trojan called Rokarolla doesn’t just steal your passwords; it takes the wheel entirely. Discovered by researchers at Zimperium, this malware targets 217 specific banking and cryptocurrency applications, giving attackers near-total control over infected devices.

The threat was detailed in reports published around June 17, 2026. Unlike older spyware that lurked in the background, Rokarolla actively interferes with your device to ensure you don’t notice the theft happening in real-time. It blocks calls, suppresses audio, and even disables Google’s own security protections.

How the Infection Starts

Here’s the thing about modern malware: it rarely asks for permission politely. Instead, it tricks you. According to analysis from Help Net Security and Dark Reading, Rokarolla is primarily distributed through malicious websites that impersonate popular apps like TikTok or Google Chrome. Users clicking these fake download links aren’t getting a social media app—they’re installing a dropper disguised as Google Play Protect.

This two-stage infection chain is clever. The first payload poses as a legitimate security service, lowering user suspicion. Once installed, it delivers the second stage: the actual Rokarolla banking trojan. This bypasses many initial safety checks because the user believes they are installing a trusted system component. It’s a classic social engineering play, leveraging trust in big brands to slip past defenses.

Beyond Credential Theft: Full Device Takeover

Old-school banking trojans were content with stealing login credentials. Rokarolla is different. It wants everything. Zimperium’s zLabs team found that the malware can execute 137 distinct commands on an infected device. That’s not just data exfiltration; that’s remote administration.

Once active, the trojan scans for any of the 217 targeted financial apps. When you open one, Rokarolla downloads a phishing page from its command-and-control server and overlays it directly on top of the legitimate app. You think you’re entering your PIN into Chase or Coinbase? You’re actually handing it straight to the attacker. But the overlay isn’t just for show—it’s part of a broader surveillance toolkit.

• Keylogging: Continuously records every keystroke, capturing passwords, messages, and search queries.
• SMS Manipulation: Reads all incoming texts (including bank OTPs) and can send messages on your behalf to intercept codes.
• Clipboard Hijacking: Silently replaces copied cryptocurrency wallet addresses with the attacker’s address, ensuring funds go to them instead of your intended recipient.
• Screen Capture: Takes systematic screenshots, compresses them into PNG files, and sends them back with precise timestamps.

The twist is how aggressively it hides. Rokarolla deactivates genuine Google Play Protect, blocks incoming calls (preventing fraud alerts from reaching you), and suppresses device audio. If your bank tries to call to verify a suspicious transaction, you won’t hear the ring. By the time you realize something is wrong, the damage is often done.

Why This Matters for Crypto Users

Cryptocurrency users are particularly vulnerable here. Traditional banking has layers of institutional protection—fraud departments, chargebacks, insurance. Crypto transactions are irreversible. The clipboard modification feature is especially dangerous. Imagine copying a friend’s wallet address to send them birthday money. Rokarolla swaps that address milliseconds before you paste it. You send the funds, see nothing amiss, and the money vanishes into the ether.

SecurityWeek noted that this represents an evolution in mobile threats. We’re moving from simple credential harvesting to comprehensive device espionage. The malware doesn’t just want your bank account; it wants your contacts, your location history, and your private conversations. It turns your smartphone into a listening post.

Expert Analysis and Mitigation

Zimperium’s warning is clear: standard antivirus solutions may not catch this if the user grants the necessary permissions during the initial fake installation. The malware relies on abuse of accessibility services and notification listeners—features designed to help users with disabilities but frequently exploited by spyware.

"The combination of banking fraud with full-device surveillance creates a high-risk environment," according to the technical breakdown. Experts recommend avoiding third-party app stores and being skeptical of any download link that doesn’t lead directly to the official Google Play Store. If you suspect infection, a factory reset is often the only surefire way to remove deeply embedded trojans like Rokarolla.