Mobile security researchers at **Zimperium** have uncovered a potent new threat to Android users: the **Rokarolla** banking trojan. This malware demonstrates a high degree of sophistication, capable of extensive data theft and device manipulation. ### Distribution and Installation Tactics **Rokarolla** primarily spreads through malicious websites impersonating legitimate app download portals for **Google Chrome** or **TikTok**. During installation, the malicious app acts as a dropper, masquerading as **Google Play Protect**, Android’s native anti-malware system. It then offers users the option to install **Chrome** or **TikTok**, which secretly bundle the **Rokarolla** malware. Upon launch, **Rokarolla** aggressively requests critical permissions, including Accessibility service access, notifications, SMS, and call logs. These permissions are then leveraged to bypass standard Android security measures and gain elevated control.  *Source: Zimperium* ### Command and Control Communication Once installed, **Rokarolla** initiates communication with its command-and-control (C2) server. It transmits a detailed device profile, including the phone model, Android version, locale, display characteristics, battery level, storage, and RAM. This information is used to generate a unique identifier for each victim, facilitating targeted attacks. ### Financial Data Theft and Overlays **Zimperium** reports that **Rokarolla**'s primary objective is financial information theft. It scans infected devices for a list of 217 targeted banking and cryptocurrency applications. When a matching app is opened, **Rokarolla** deploys convincing phishing overlays to steal login credentials, credit card details, and other sensitive financial data.  *Source: Zimperium* Beyond financial data, these overlays are also used to capture lock-screen PINs/patterns, allowing attackers to operate the device even when locked. They also serve as a sophisticated evasion tactic, displaying fake installation screens to hide malicious activity and block user interaction.  *Source: Zimperium* ### Evasion and Advanced Capabilities **Rokarolla** employs several evasion techniques, including disabling **Google Play Protect**, hiding its app icon from the drawer, silencing audio and vibration, and keeping the screen awake indefinitely. These tactics ensure persistent access and reduce the likelihood of detection. **Zimperium** has documented an extensive list of 137 commands available to **Rokarolla** operators in a **GitHub repository**. These commands enable a wide array of malicious activities, including: * Stealing SMS messages * Extracting contact information and **WhatsApp** contacts * Capturing keystrokes * Recording on-screen content via UI logging * Copying and manipulating clipboard contents * Blocking incoming calls and bank fraud alerts * Periodically taking screenshots with timestamps This comprehensive command set grants **Rokarolla** operators near-complete administrative control over infected Android devices, enabling advanced financial fraud schemes. ### Recommendations for Users and IT Professionals **Zimperium** did not find **Rokarolla** on **Google Play**, emphasizing the importance of caution when downloading **APK** files from unofficial sources. Users should only download apps from trusted publishers and exercise extreme vigilance when granting Accessibility permissions, as these can be abused to circumvent core Android security protections. **Google** has confirmed that **Google Play Protect** automatically safeguards Android users against known versions of this malware, provided it is enabled on devices with **Google Play Services**.