Security researchers at **Zimperium's zLabs** have detailed a formidable new Android banking trojan, **Rokarolla**. This malware is engineered to target 217 banking and cryptocurrency applications, boasting an extensive arsenal of 137 remote commands that allow operators to gain near-total control of an infected smartphone. ### Comprehensive Device Control **Rokarolla**'s capabilities are alarming. It can lift lock-screen PINs, read and send SMS messages, modify the clipboard to redirect cryptocurrency payments, and even disable **Google Play Protect**. This comprehensive control enables attackers to bypass crucial security layers and execute malicious actions silently. ### Infection Vector and Payload Delivery Named after its command-and-control (C2) servers, **Rokarolla** propagates through malicious websites that impersonate popular applications such as **TikTok** and **Chrome**. Victims initially install a dropper masquerading as **Google Play Protect**. This deceptive app then facilitates the installation of the main payload and acquires critical Accessibility access. Once the malware is active, one of its initial commands is to disable **Play Protect**, removing a key defensive mechanism. ### Sophisticated Data Theft via Overlays The trojan's primary method for credential theft involves sophisticated overlay attacks. **Rokarolla** retrieves a target list from its C2 server. For each active banking or wallet application on the device, it downloads a fake HTML login page and stores it locally. When a user opens a legitimate financial app, the malware overlays it with the fake page, capturing all entered credentials and card details. Zimperium's report highlights an example of such a fake page, mimicking the banking app 'imagin.' A separate overlay mimics the Android lock screen, capturing PINs, patterns, or passwords, thereby allowing attackers to control the device even when it's locked. ### Bypassing SMS-Based Authentication **Rokarolla** can read every SMS on the device and send messages independently. This capability is sufficient to intercept one-time passwords (OTPs) used by banks for login and transaction approvals. By setting itself as the default app for texts and calls, it can also block incoming calls, preventing users from receiving warning calls from their banks.  ### Advanced Surveillance and Evasion Techniques The malware incorporates a keylogger and screen logger to record user input and visible content. It also scrapes contacts and reads notifications. The clipboard is silently rewritten, substituting attacker wallet addresses during cryptocurrency transactions to redirect funds. For surveillance, **Rokarolla** avoids the conspicuous MediaProjection screen casting, which typically prompts a visible recording notification. Instead, it captures screenshots via Accessibility services, compresses them to PNG, and exfiltrates them frame by frame. This snapshot-based approach is quieter and simpler than the live hidden VNC capabilities observed in families like **Klopatra**. ### Resilient Infrastructure and Persistent Threat **Rokarolla** features multiple fallback C2 domains and can receive new ones dynamically, making it resilient to attempts to take down individual servers. Its 137 commands surpass the 107 commands found in the **HOOK trojan**, indicating a sophisticated and evolving threat. The attack methodology aligns with a broader trend seen in a **wave of 2026 Android bankers**, characterized by fake-app droppers, Accessibility abuse, and HTML overlays. ### Mitigation and Defense As this is a malware campaign and not a product flaw, there is no patch. Effective defenses involve adhering to standard Android security practices: * **Install apps only from the official Google Play Store.** * **Keep Google Play Protect enabled.** * **Be extremely wary of unexpected requests for Accessibility access**, as this permission is central to the entire attack chain. **Zimperium** confirms that its products can detect this malware family. Indicators of Compromise (IoCs) are available in their [**GitHub repository**](https://github.com/Zimperium/IOC/tree/master/2026-06-Rokarolla). While **Zimperium** has not attributed **Rokarolla** to a specific threat group, its design clearly demonstrates a deliberate intent to circumvent prevalent user protections, from **Play Protect** to the lock screen, highlighting the continuous need for vigilance in mobile security.