A new Android banking trojan named Rokarolla has been discovered targeting 217 banking and cryptocurrency applications using an extensive set of 137 commands. The malware is distributed via malicious websites impersonating Google Chrome or TikTok download pages. Once installed, it requests Accessibility service permissions and other sensitive accesses, allowing it to take near-complete administrative control over the compromised device. Rokarolla starts by profiling the device and generating a unique victim identifier. Its primary objective appears to be financial data theft: it checks installed apps against a list of 217 targets and displays fake login overlays to steal credentials, credit card information, and other financial data. Additionally, it can steal lock screen credentials, contact lists, SMS data, and use keyloggers to continuously record user input. Evasion tactics include disabling Google Play Protect, hiding its icon, silencing audio and vibration, and keeping the screen awake. Zimperium researchers found the malware is not on Google Play; users are advised to avoid sideloading APKs and to be cautious when granting Accessibility permissions.

Key facts

• Rokarolla targets 217 banking and crypto apps using 137 commands.
• Distributed via fake Google Chrome or TikTok download websites.
• Steals login credentials, SMS, contacts, and lock screen data via overlays and keyloggers.
• Disables Google Play Protect and hides its icon to evade detection.
• Not found on Google Play; users advised to avoid sideloading APKs.