Safety researchers at Zimperium’s zLabs have documented a brand new Android banking trojan, Rokarolla, that targets 217 banking and cryptocurrency apps and packs 137 distant instructions.
Collectively, they offer an operator near-total management of an contaminated cellphone: it lifts lock-screen PINs, reads and sends SMS, rewrites the clipboard to redirect crypto funds, and switches off Google Play Defend.
Rokarolla, named after its command-and-control servers, spreads by means of malicious web sites posing as well-known apps reminiscent of TikTok and Chrome.
The very first thing a sufferer installs is a dropper that pretends to be Google Play Defend. It makes use of that disguise to get the payload put in and seize Accessibility entry. As soon as the malware is operating, one in every of its instructions turns Play Defend off.
The theft runs by means of overlays. Rokarolla pulls a goal record from its server, and for every app flagged lively, it downloads a pretend HTML login web page and shops it in a neighborhood database. When the sufferer opens the actual banking or pockets app, the malware drops the pretend web page on prime and captures every part typed into it, card particulars included.
The report reveals one such pretend web page mimicking the banking app ‘imagin.’ A separate overlay mimics the Android lock display screen to seize the PIN, sample, or password, which lets the operator management the cellphone even whereas it’s locked.
It reads each SMS on the system and may ship messages itself, which is sufficient to seize the SMS one-time codes banks use to approve logins and transactions. By making itself the cellphone’s default app for texts and calls, it will possibly additionally block incoming calls, so a warning name from the financial institution by no means will get by means of.
A keylogger and display screen logger report what the person varieties and sees, and the trojan scrapes contacts and reads notifications. The clipboard will get rewritten silently, swapping in attacker pockets addresses so a copied crypto fee lands within the mistaken account.
For surveillance, Rokarolla skips the standard MediaProjection display screen casting, which throws a visual recording immediate, and as an alternative takes screenshots by means of Accessibility, compresses them to PNG, and ships them out one body at a time. That snapshot strategy is less complicated and quieter than the stay hidden VNC seen in households like Klopatra.
The malware carries a number of fallback C2 domains and might be handed new ones on the fly, so pulling a single server does little. It is 137 instructions outnumber the 107 Zimperium counted within the HOOK trojan, and the playbook is similar one operating by means of a wave of 2026 Android bankers: fake-app droppers, Accessibility abuse, and HTML overlays.
There is no such thing as a patch to use right here. That is malware, not a product flaw, so the defenses are the usual ones for Android bankers. Set up apps solely from Google Play, go away Play Defend on, and deal with any sudden Accessibility request as a crimson flag, since that one permission drives the entire assault chain.
Zimperium says its personal merchandise detect the household, and the symptoms of compromise are in its GitHub repository.
Zimperium didn’t tie Rokarolla to a named group. What the construct reveals is intent: a banker put collectively to beat the precise protections customers are instructed to depend on, from Play Defend all the way down to the lock display screen.
