Rokarolla is an Android banking trojan that targets 217 specific banking and cryptocurrency apps by deploying phishing overlays to steal login credentials and financial data. It is distributed through malicious websites pretending to offer legitimate apps like Google Chrome or TikTok. Upon installation, it requests Accessibility, notification, SMS, and call permissions to gain extensive control over the device. The malware collects device profile data to uniquely identify victims and uses 137 commands to steal SMS, contacts, keystrokes, screenshots, and manipulate clipboard contents. It employs evasion techniques such as disabling Google Play Protect, hiding its app icon, silencing audio/vibration, and keeping the screen awake. Rokarolla's primary goal is financial theft through advanced fraud enabled by its administrative control. It has not been detected on the official Google Play store.

The malware enables attackers to steal sensitive financial information including login credentials, credit card data, SMS messages, and contact lists from infected Android devices. It can capture lock screen PINs/patterns and operate the device while locked, facilitating unauthorized transactions and fraud. Rokarolla's extensive command set allows persistent surveillance and manipulation of user data and device functions, posing a significant risk of financial loss and privacy breaches for victims.

No official patch or fix is applicable as this is malware rather than a software vulnerability. Users should avoid downloading APK files from untrusted sources and only install apps from the official Google Play store. Exercise caution when granting Accessibility service permissions, as these can be exploited by malware to gain elevated control. Security teams should educate users about the risks of sideloading apps and monitor for suspicious device behavior indicative of malware infection.