A new Android banking trojan named Rokarolla has been discovered, targeting 217 distinct cryptocurrency and banking applications. This highly invasive malware spreads through malicious websites masquerading as popular apps, poses a significant threat to device security, and demonstrates strong stealth techniques. Stay safe online by following best practices and keeping your devices up-to-date.
The world of cybersecurity has witnessed another disturbing development, as a new Android banking trojan named Rokarolla has been discovered. According to a detailed analysis published by Zimperium's zLabs researchers, this malicious app is specifically designed to target and compromise 217 distinct cryptocurrency and banking applications. The Rokarolla malware has been found to spread through malicious websites masquerading as popular applications like TikTok and Chrome, posing a significant threat to the security of users' devices.
The malware's primary goal is to steal credentials, block bank calls, intercept SMS messages, and disable Play Protect. To achieve this, it employs various stealthy techniques, including deploying fraudulent screen overlays, suppressing device audio, and deactivating Google Play Protect. Once the second-stage payload is installed, the malware gains Accessibility Services access, allowing it to simulate user taps, parse on-screen UI elements, inject overlays on top of legitimate apps, and execute automated actions without touching the screen.
The Rokarolla malware also captures every credential entered by the user, including card numbers, and stores it in a local SQLite database. It deploys a fake PIN entry screen that mimics Android's legitimate lock screen interface, capturing any typed information and exfiltrating it to attacker-controlled infrastructure for further exploitation. Furthermore, the malware reads every message on the device, can send messages on behalf of the victim, block incoming calls silently, and mutes all device audio and vibrations during active operations.
One of the most concerning aspects of Rokarolla is its ability to operate completely under the radar. It employs multiple techniques to avoid detection and prevent user-initiated removal, including writing the clipboard silently and capturing screenshots of the victim's device without visible indicators.
The C2 infrastructure built by Rokarolla features resilience, with multiple fallback domains hardcoded and the ability to receive a fresh list of active C2 addresses at any time. The experts noted that no product flaw is involved here, so there's no patch to apply. Instead, they recommend that users take standard precautions such as installing apps only from Google Play, never granting Accessibility Services to anything that isn't a known assistive tool, and treating any app that asks to become the default SMS or call handler as an immediate red flag.
Zimperium's Mobile Threat Defense and zDefend products detect Rokarolla, and the full IOC list including APK hashes is published on their GitHub repository. The experts emphasized that this malware demonstrates strong stealth, evasion, and persistence techniques designed to avoid detection and prevent user-initiated removal.