Wednesday , July 8 2026
Rokarolla

New Rokarolla Android malware hits 217 banking and crypto apps

A new Android banking trojan called Rokarolla is hitting 217 banking and cryptocurrency apps with a wide range of 137 commands. The harmful software spreads through bad websites pretending to offer the Google Chrome or TikTok app and can gain full control over a hacked device.

Its abilities include stealing lock screen passwords, contact lists, and text messages, and using keyloggers to record what users type. During installation, the app pretends to be Google Play Protect, which helps keep Android safe from malware. It tries to trick users into installing Chrome or TikTok, which have the Rokarolla malware.

Thousands of MCP Servers Exposed to File Access and Injection Attacks

Thousands of Model Context Protocol (MCP) servers have serious security flaws like file access issues, command injection, server-side request forgery...
Read More
Thousands of MCP Servers Exposed to File Access and Injection Attacks

CERT/CC Alerts to Hidden Admin Backdoor in Tenda Router Firmware

Several Tenda firmware versions have a hidden backdoor that lets people gain admin access to the device's web interface. An...
Read More
CERT/CC Alerts to Hidden Admin Backdoor in Tenda Router Firmware

Daily Cyber security update for 6. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 6. 07. 2026

“Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers, Android Devices

A new Linux flaw called “Bad Epoll” (CVE-2026-46242) lets regular users get root access on Linux servers, desktops, and Android...
Read More
“Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers, Android Devices

An AI performed a cyber attack without any human help for the first time

Security experts found what they think is the first time an AI carried out a cyber attack all by itself....
Read More
An AI performed a cyber attack without any human help for the first time

Singapore major data centres, cloud providers could incur fine up to $1m

Major data center and cloud service providers might have to pay a fine of up to $1 million or up...
Read More
Singapore major data centres, cloud providers could incur fine up to $1m

IBM-managed instance breach exposes personal data of 70,000 in Singapore

The Singapore Land Authority (SLA) has announced that the personal details of around 70,000 people were leaked after someone accessed...
Read More
IBM-managed instance breach exposes personal data of 70,000 in Singapore

Alibaba Reportedly Bans Claude Code for Suspected AI Tool Backdoor

Alibaba is said to be getting ready to ban the use of Anthropic’s Claude Code in its own systems starting...
Read More
Alibaba Reportedly Bans Claude Code for Suspected AI Tool Backdoor

CISA KEV Adds SharePoint RCE CVE-2026-45659 After Active Exploits

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a serious problem affecting Microsoft SharePoint Server to its list of...
Read More
CISA KEV Adds SharePoint RCE CVE-2026-45659 After Active Exploits

Nepal Unveils First “Hall of Fame” for Ethical Hackers

Nepal has started a 'Hall of Fame' program to honor cybersecurity researchers who safely report security flaws in government digital...
Read More
Nepal Unveils First “Hall of Fame” for Ethical Hackers

When you start Rokarolla on your device, it asks for permissions to use Accessibility services, and to access notifications, SMS, and calls, researchers from the mobile security company Zimperium say in a report today.

                                              The installation process Source: Zimperium

Communication with the command-and-control (C2) server starts by sending a simple device profile. This profile has information like the phone model, Android version, language, screen details, battery level, storage space, and available RAM.

Zimperium says this information creates a unique ID for each victim in the Rokarolla campaign.

Zimperium says the malware mainly aims to steal money information. To do this, it looks at the infected device and checks it against a list of 217 apps it wants to target. Then it downloads the phishing files for any apps that match.

When the victim opens an app, Rokarolla shows a fake login screen to take login details, credit card info, and other financial data.

                                                                      Financial data theft process, Source: Zimperium

The use of overlays isn’t just for stealing data. The malware also uses this trick to get the lock-screen PIN or pattern and control the device even if it is locked.

Overlays also hide malware actions and stop users from interacting by showing fake installation screens when necessary.

                     PIN overlay (left) and fake installation overlay (right) Source: Zimperium

Some other tricks include turning off Google Play Protect, hiding the app icon from the app drawer, making audio and vibrations silent, and keeping the screen on all the time.

Zimperium made a GitHub page that has all 137 commands for Rokarolla. Some of the commands for stealing data are:

Steal SMS messages
Extract contact information and WhatsApp contacts
Capture keystrokes
Record on-screen content via UI logging
Copy and manipulate the clipboard contents
Block incoming calls and bank fraud alerts
Periodically take screenshots and upload them with timestamps

The mix of these features gives Rokarolla users almost total control over a hacked Android device, allowing them to pull off serious financial scams.

Zimperium did not find any malware on Google Play, which is the official place for Android apps. Users should not download APK files from anywhere else unless they really trust the publisher.

Users need to be careful when giving Accessibility permissions. This is because these permissions can be misused to get around normal Android security and let bad apps control the user interface or approve system messages, which is often what Android malware wants.

Check Also

SharePoint

CISA KEV Adds SharePoint RCE CVE-2026-45659 After Active Exploits

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a serious problem affecting Microsoft SharePoint …