InfoSecBulletin Cybersecurity for mankind
A new Android banking trojan called Rokarolla is hitting 217 banking and cryptocurrency apps with a wide range of 137 commands. The harmful software spreads through bad websites pretending to offer the Google Chrome or TikTok app and can gain full control over a hacked device.
Its abilities include stealing lock screen passwords, contact lists, and text messages, and using keyloggers to record what users type. During installation, the app pretends to be Google Play Protect, which helps keep Android safe from malware. It tries to trick users into installing Chrome or TikTok, which have the Rokarolla malware.
New Rokarolla Android malware hits 217 banking and crypto apps
Phishing Campaign Exploits Legitimate Microsoft Login Flow
ALERT
Cisco SD-WAN Zero-Day, FortiSandbox and cPanel flaws exploited in attacks
“Panthalassa” builds floating AI data centers powered by ocean waves
Critical Wazuh Vuln Enables Alert Tampering and Evidence Deletion
CVE-2026-0257
Palo Alto Warns of GlobalProtect VPN Vuln Actively Exploited
BD Gov.t to set up Tk192.66cr AI hub with support from Koica
Critical Splunk Enterprise Pre-Auth RCE Chain Exposes Databases With Zero Authentication
Anthropic disables Fable 5 and Mythos 5 Access after US order limiting foreign access
Using AI, Researcher Hacks Google and Earns $500,000 Bug Bounty
When you start Rokarolla on your device, it asks for permissions to use Accessibility services, and to access notifications, SMS, and calls, researchers from the mobile security company Zimperium say in a report today.
Communication with the command-and-control (C2) server starts by sending a simple device profile. This profile has information like the phone model, Android version, language, screen details, battery level, storage space, and available RAM.
Zimperium says this information creates a unique ID for each victim in the Rokarolla campaign.
Zimperium says the malware mainly aims to steal money information. To do this, it looks at the infected device and checks it against a list of 217 apps it wants to target. Then it downloads the phishing files for any apps that match.
When the victim opens an app, Rokarolla shows a fake login screen to take login details, credit card info, and other financial data.
The use of overlays isn’t just for stealing data. The malware also uses this trick to get the lock-screen PIN or pattern and control the device even if it is locked.
Overlays also hide malware actions and stop users from interacting by showing fake installation screens when necessary.
Some other tricks include turning off Google Play Protect, hiding the app icon from the app drawer, making audio and vibrations silent, and keeping the screen on all the time.
Zimperium made a GitHub page that has all 137 commands for Rokarolla. Some of the commands for stealing data are:
Steal SMS messages
Extract contact information and WhatsApp contacts
Capture keystrokes
Record on-screen content via UI logging
Copy and manipulate the clipboard contents
Block incoming calls and bank fraud alerts
Periodically take screenshots and upload them with timestamps
The mix of these features gives Rokarolla users almost total control over a hacked Android device, allowing them to pull off serious financial scams.
Zimperium did not find any malware on Google Play, which is the official place for Android apps. Users should not download APK files from anywhere else unless they really trust the publisher.
Users need to be careful when giving Accessibility permissions. This is because these permissions can be misused to get around normal Android security and let bad apps control the user interface or approve system messages, which is often what Android malware wants.
