New Rokarolla Android Trojan Targets 217 Banking and Crypto Apps
Rokarolla is a new Android banking Trojan targeting 217 banking and cryptocurrency apps. It spreads via malicious websites masquerading as popular apps like TikTok and Chrome, initially installing a dropper disguised as Google Play Protect. Once installed and granted Accessibility Services, it can simulate user actions, inject overlays, intercept credentials, block calls, read and send SMS, disable Google Play Protect, and silently capture screen content. The malware dynamically downloads fake login pages to steal credentials and can operate even when the device is locked. It also replaces copied cryptocurrency wallet addresses with attacker-controlled ones and suppresses audio and notifications to avoid user detection. Rokarolla uses resilient command-and-control infrastructure and employs stealth techniques to maintain persistence and evade detection. No software flaw is exploited, so no patch is available; mitigation relies on user caution and security products detecting the malware.
AI Analysis
Technical Summary
Rokarolla is an Android banking Trojan that targets 217 distinct banking and cryptocurrency applications by stealing credentials, intercepting SMS messages, blocking incoming calls, and disabling Google Play Protect. It spreads through malicious websites posing as popular apps and installs a dropper disguised as Google Play Protect to avoid suspicion. After obtaining Accessibility Services, Rokarolla can simulate user interactions, inject fraudulent overlays, capture keystrokes and screen content via snapshots, and exfiltrate sensitive data. It dynamically downloads fake login pages from its command-and-control server to capture credentials and can operate even when the device is locked by deploying fake lock screens. The malware also silently rewrites clipboard data to redirect cryptocurrency transactions and suppresses device audio and vibrations to avoid alerting the user. Its command-and-control infrastructure is resilient with multiple fallback domains. No underlying product vulnerability is exploited, so no patch exists; mitigation depends on avoiding installation from untrusted sources and restricting Accessibility Services permissions.
Potential Impact
The malware compromises user credentials for 217 banking and cryptocurrency apps, enabling attackers to steal login information, card numbers, and intercept one-time passwords via SMS. It can block incoming calls silently, preventing fraud alerts from reaching the user, and suppress device audio to hide notifications. Rokarolla can operate even when the device is locked, allowing attackers to execute commands remotely. Clipboard manipulation enables theft of cryptocurrency by replacing wallet addresses. The malware’s stealth and persistence techniques make detection and removal difficult, increasing the risk of financial theft and unauthorized access to sensitive accounts.
Mitigation Recommendations
No official patch or fix exists because Rokarolla exploits no software vulnerability. Users should only install apps from trusted sources such as Google Play Store. Accessibility Services should only be granted to known and trusted assistive applications. Any app requesting default SMS or call handler status should be treated as suspicious and denied such permissions. Security products like Zimperium’s Mobile Threat Defense and zDefend detect Rokarolla; deploying such solutions can help identify and block this malware. Users should remain vigilant for unusual device behavior and avoid clicking links from untrusted websites.
New Rokarolla Android Trojan Targets 217 Banking and Crypto Apps
Description
Rokarolla is a new Android banking Trojan targeting 217 banking and cryptocurrency apps. It spreads via malicious websites masquerading as popular apps like TikTok and Chrome, initially installing a dropper disguised as Google Play Protect. Once installed and granted Accessibility Services, it can simulate user actions, inject overlays, intercept credentials, block calls, read and send SMS, disable Google Play Protect, and silently capture screen content. The malware dynamically downloads fake login pages to steal credentials and can operate even when the device is locked. It also replaces copied cryptocurrency wallet addresses with attacker-controlled ones and suppresses audio and notifications to avoid user detection. Rokarolla uses resilient command-and-control infrastructure and employs stealth techniques to maintain persistence and evade detection. No software flaw is exploited, so no patch is available; mitigation relies on user caution and security products detecting the malware.
Reddit Discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Rokarolla is an Android banking Trojan that targets 217 distinct banking and cryptocurrency applications by stealing credentials, intercepting SMS messages, blocking incoming calls, and disabling Google Play Protect. It spreads through malicious websites posing as popular apps and installs a dropper disguised as Google Play Protect to avoid suspicion. After obtaining Accessibility Services, Rokarolla can simulate user interactions, inject fraudulent overlays, capture keystrokes and screen content via snapshots, and exfiltrate sensitive data. It dynamically downloads fake login pages from its command-and-control server to capture credentials and can operate even when the device is locked by deploying fake lock screens. The malware also silently rewrites clipboard data to redirect cryptocurrency transactions and suppresses device audio and vibrations to avoid alerting the user. Its command-and-control infrastructure is resilient with multiple fallback domains. No underlying product vulnerability is exploited, so no patch exists; mitigation depends on avoiding installation from untrusted sources and restricting Accessibility Services permissions.
Potential Impact
The malware compromises user credentials for 217 banking and cryptocurrency apps, enabling attackers to steal login information, card numbers, and intercept one-time passwords via SMS. It can block incoming calls silently, preventing fraud alerts from reaching the user, and suppress device audio to hide notifications. Rokarolla can operate even when the device is locked, allowing attackers to execute commands remotely. Clipboard manipulation enables theft of cryptocurrency by replacing wallet addresses. The malware’s stealth and persistence techniques make detection and removal difficult, increasing the risk of financial theft and unauthorized access to sensitive accounts.
Mitigation Recommendations
No official patch or fix exists because Rokarolla exploits no software vulnerability. Users should only install apps from trusted sources such as Google Play Store. Accessibility Services should only be granted to known and trusted assistive applications. Any app requesting default SMS or call handler status should be treated as suspicious and denied such permissions. Security products like Zimperium’s Mobile Threat Defense and zDefend detect Rokarolla; deploying such solutions can help identify and block this malware. Users should remain vigilant for unusual device behavior and avoid clicking links from untrusted websites.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":30,"reasons":["external_link","newsworthy_keywords:trojan","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["trojan"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a3296d20b89be68884c08e9
Added to database: 6/17/2026, 12:45:06 PM
Last enriched: 6/17/2026, 12:45:17 PM
Last updated: 6/17/2026, 5:23:31 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.