Skip to main content
TechnologyJun 17, 2026· 2 min read

Rokarolla, the Android Trojan that Steals Credentials and Targets 217 Banking and Crypto Apps

Zimperium zLabs has identified Rokarolla, an Android trojan that targets 217 banking and cryptocurrency applications with an arsenal of 137 remote commands. The technical analysis by researchers describes a setup capable of taking complete control of the infected device: stealing access credentials, intercepting SMS, quietly re-routing cryptocurrency payments, and persistent surveillance of user activity.

The infection chain begins with malicious sites that mimic TikTok and Chrome. The first stage is a dropper disguised as Google Play Protect: once installed, it disables the true Google protection system and gains permissions for Accessibility Service, SMS, notifications, and call management. Zimperium found no trace of Rokarolla on the Google Play Store; distribution occurs exclusively outside the official channel. One of the identified distribution sites is infocontablidades[.]it[.]com.

Overlay, Keylogger, and Device Control

The central mechanism is the abuse of Android's Accessibility Services. Rokarolla overlays fake HTML overlays onto legitimate banking apps to collect credentials when the victim opens them; it also presents overlays that replicate the system lock screen to capture PINs, unlock sequences, and passwords. It intercepts incoming SMS, a critical function to bypass two-factor authentication, and silently rewrites clipboard content to replace crypto wallet addresses with those of the attackers.

Surveillance extends to keyloggers and screen loggers. Screenshots are taken through the same Accessibility Services, bypassing certain visible system checks by not resorting to MediaProjection. The malware extracts WhatsApp contacts, blocks incoming calls to prevent the bank from alerting the victim about suspicious activity, hides its icon from the launcher, and keeps the screen on indefinitely while muting audio and vibration. For botnet management, Rokarolla transmits basic telemetry to the control server as soon as it gains access, generating a unique identifier for each compromised device.

Target, Commands, and C2 Infrastructure

The 217 targeted applications cover banking institutions and cryptocurrency platforms. Communication with control servers occurs via HTTPS; the malware maintains multiple fallback C2 domains and can dynamically receive new ones, making blocking by a single indicator ineffective. Zimperium has published the indicators of compromise on GitHub, including domains, SHA-256 hashes, and the names of the involved packages.

With 137 commands, Rokarolla surpasses the HOOK trojan, which had 107, and is set in a particularly active season for Android bankers: the same pattern (fake dropper, HTML overlay, abuse of Accessibility Services) recurs in variants found in fake streaming apps targeting fans of the 2026 World Cup. Zimperium has not attributed the malware to any named group; at the time of publication, no other independent laboratory had released a separate analysis.

Renault Finds the 'Trick' to Increase Electric Range Without Changing BatteryRyzen 10000 Olympic Ridge Desktop: Goodbye iGPU, Hello NPU? The Possible Choice Sparks Debate