Rokarolla is an Android malware banking trojan capable of targeting 217 banking and cryptocurrency apps. It is distributed through malicious websites masquerading as legitimate apps like Chrome and TikTok and delivers its payload by impersonating Google Play Protect. Once installed, it requests broad permissions to capture lockscreen credentials (PIN, pattern, password), enabling device takeover. The trojan uses screen overlays to phish credentials, abuses Accessibility Services to harvest WhatsApp contacts, exfiltrates SMS messages, hijacks calls, logs keystrokes, manipulates clipboard data to redirect cryptocurrency transactions, and captures and exfiltrates screenshots with timestamps. It evades detection by hiding its app icon, disabling Google Play Protect, and muting device audio and vibrations to suppress security alerts and verification calls.

The malware enables attackers to take full control of infected Android devices, steal sensitive banking and cryptocurrency credentials, intercept communications, and manipulate cryptocurrency transactions. It compromises user privacy and financial security by harvesting contact information, SMS messages, and lockscreen credentials. The evasion techniques reduce the likelihood of user detection, increasing the risk of prolonged unauthorized access and fraudulent activity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should avoid installing apps from untrusted sources and be cautious of apps impersonating legitimate services like Google Play Protect. Mobile security solutions that detect Rokarolla may help mitigate infection. Since the malware disables Google Play Protect and hides its presence, users should verify device security settings and consider factory resetting infected devices. Follow updates from security vendors like Zimperium for detection and removal tools.