Ethical Hacking News
A new strain of Android malware known as Rokarolla has been discovered that can steal PINs, SMS codes, and crypto wallet funds from infected devices. The malware targets banking and cryptocurrency apps using a combination of overlays and remote commands. To protect against this threat, users must take steps to secure their devices and be aware of suspicious activity.
The new Rokarolla Android malware targets banking and cryptocurrency apps. The malware spreads through malicious websites disguised as popular apps. The malware gains Accessibility access, allowing it to pull off various nefarious activities. The malware can mimic real banking apps using overlays to steal sensitive information. The malware captures SMS codes used by banks and logs user activity, including keystrokes and notifications. Users need to remain vigilant and take proactive steps to safeguard their personal data and security.
The threat landscape for mobile devices has taken a concerning turn with the emergence of the new Rokarolla Android malware, which has been documented by security researchers at Zimperium's zLabs. This particular strain of malware is designed to target banking and cryptocurrency apps, with the ultimate goal of compromising users' personal data and gaining unauthorized access to their devices.
The Rokarolla malware spreads through malicious websites that pose as well-known apps such as TikTok and Chrome, using a technique known as a "dropper" that disguises itself as Google Play Protect. Once the payload is installed on an infected device, it gains Accessibility access, which allows it to pull off various nefarious activities. The malware's remote commands give the operator nearly total control over the infected phone, including lifting lock-screen PINs, reading and sending SMS codes, rewriting the clipboard to redirect crypto payments, and switching off Google Play Protect.
One of the most disturbing aspects of Rokarolla is its ability to mimic real banking apps using overlays. It creates a fake HTML login page that mimics the banking app 'imagin' and stores it in a local database. When the victim opens the real banking or wallet app, the malware drops the fake page on top and captures everything typed into it, including card details. This allows the operator to steal sensitive information without the user's knowledge.
Another alarming feature of Rokarolla is its ability to capture SMS codes used by banks to approve logins and transactions. The malware can send messages itself, which blocks incoming calls from the bank, preventing any warning alerts from reaching the user. It also includes a keylogger and screen logger that record what the user types and sees, as well as scrapes contacts and reads notifications.
The Rokarolla malware is particularly insidious because it can be handed new C2 domains on the fly, making it difficult to track and remove. The build shows that a banker has put together an attack chain designed specifically to exploit the protections users are told to rely on from Play Protect down to the lock screen. This highlights the need for vigilance and awareness when using mobile devices.
In order to protect against Rokarolla, security experts recommend installing apps only from Google Play, leaving Play Protect on at all times, and treating any unexpected Accessibility request as a red flag. It is also essential to keep software up-to-date and monitor device activity closely for suspicious behavior.
The emergence of Rokarolla serves as a stark reminder that mobile devices are not immune to the threats posed by sophisticated malware. As such, users must remain vigilant and take proactive steps to safeguard their personal data and security.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Android-Malware-Rokarolla-Steals-PINs-SMS-Codes-and-Crypto-Wallet-Funds-ehn.shtml
https://thehackernews.com/2026/06/new-rokarolla-android-malware-steals.html
Published: Wed Jun 17 23:17:40 2026 by llama3.2 3B Q4_K_M
