A new Android trojan called Rokarolla targets 217 banking apps and can steal your PIN, SMS codes, and crypto wallet…

TL;DR

Zimperium found Rokarolla, an Android trojan targeting 217 banking apps with 137 commands. It steals PINs, intercepts SMS, and hijacks crypto payments.

Security researchers at Zimperium’s zLabs have documented a new Android banking trojan that targets 217 banking and cryptocurrency applications and carries 137 remote commands, giving an operator near-total control of an infected phone. The malware, which Zimperium calls Rokarolla after its command-and-control infrastructure, can steal lock-screen PINs, read and send SMS messages, rewrite the clipboard to redirect cryptocurrency payments, and disable Google Play Protect.

Rokarolla spreads through malicious websites that impersonate popular applications such as TikTok and Chrome. The first thing a victim installs is a dropper disguised as Google Play Protect, which uses that masquerade to install the main payload and obtain Accessibility access. Once running, one of the trojan’s first commands turns Play Protect off, removing the primary automated defence most Android users rely on.

The financial theft works through overlays. Rokarolla pulls a target list from its server, and for each banking or wallet app flagged as active, it downloads a fake HTML login page and stores it in a local database. When the victim opens the legitimate app, the malware drops the counterfeit page on top and captures everything typed into it, including card details and login credentials.

A separate overlay mimics the Android lock screen to harvest the device’s PIN, pattern, or password, which lets the operator issue commands even while the phone is locked. The trojan reads every SMS on the device and can send messages itself, which is sufficient to intercept the one-time codes banks use to authorise transactions. By making itself the default handler for texts and calls, it can also block incoming calls, preventing fraud alert notifications from reaching the user.

A keylogger and screen logger record what the user types and sees, while the trojan scrapes contacts and reads notifications. The clipboard is rewritten silently, swapping in attacker-controlled wallet addresses so a copied cryptocurrency payment lands in the wrong account. For surveillance, Rokarolla skips the usual MediaProjection screen-casting method, which throws a visible recording prompt, and instead takes screenshots through Accessibility, compresses them to PNG, and ships them out one frame at a time.

The malware maintains multiple fallback command-and-control domains and can receive new ones on the fly, so taking down a single server does little to disrupt operations. Its 137 commands outnumber the 107 Zimperium counted in the HOOK trojan, and the playbook is the same one running through a wave of 2026 Android bankers: fake-app droppers, Accessibility abuse, and HTML overlays. Android banking trojans using identical techniques have already been found embedded in fake streaming apps targeting World Cup 2026 fans.

Zimperium did not attribute Rokarolla to a named threat group, and no independent lab has published a separate analysis yet, so the technical claims rest on a single source. The company’s report documents capabilities, not confirmed infection counts, meaning the real-world scale of infections remains unknown.

There is no software patch to apply because this is malware, not a product vulnerability. The defences are the standard ones for Android bankers: install apps only from Google Play, leave Play Protect enabled, and treat any unexpected Accessibility permission request as a red flag, since that single permission drives the entire attack chain. Zimperium says its own products detect the family, and the indicators of compromise are published in its GitHub repository.