Rokarolla

The attack chain begins when a user visits a malicious website like infocontablidades.it.com . These pages actually contain the malware, hidden inside files that look like popular programs such as TikTok or Google Chrome.

When a victim opens an authentic financial application, it queries the server’s endpoint to fetch fake HTML-based phishing pages. It then displays these fake login screens right on top of the legitimate apps.

Rokarolla ... spreads through malicious websites posing as well-known apps such as TikTok and Chrome. The first thing a victim installs is a dropper that pretends to be Google Play Protect.

It uses that disguise to get the payload installed and grab Accessibility access. ... the playbook is the same one running through a wave of 2026 Android bankers: fake-app droppers, Accessibility abuse, and HTML overlays.

Once installed, the malware asks for permission to use Android Accessibility Services. Then, it takes over these services to monitor the phone screen and track coordinates without user intervention.

It uses that disguise to get the payload installed and grab Accessibility access. ... the playbook is the same one running through a wave of 2026 Android bankers: fake-app droppers, Accessibility abuse, and HTML overlays.

Once installed, the malware asks for permission to use Android Accessibility Services. Then, it takes over these services to monitor the phone screen and track coordinates without user intervention.

These pages actually contain the malware, hidden inside files that look like popular programs such as TikTok or Google Chrome. When a victim downloads this file, a secondary dropper runs first, disguised as a Google Play Protect security tool.

The theft runs through overlays. Rokarolla pulls a target list from its server, and for each app flagged active, it downloads a fake HTML login page ... When the victim opens the real banking or wallet app, the malware drops the fake page on top and captures everything typed into it, card details included.

A keylogger and screen logger record what the user types and sees...

It reads every SMS on the device and can send messages itself, which is enough to grab the SMS one-time codes banks use to approve logins and transactions.

A separate overlay mimics the Android lock screen to capture the PIN, pattern, or password, which lets the operator control the phone even while it is locked.

The theft runs through overlays. Rokarolla pulls a target list from its server, and for each app flagged active, it downloads a fake HTML login page ... When the victim opens the real banking or wallet app, the malware drops the fake page on top and captures everything typed into it, card details included.

A keylogger and screen logger record what the user types and sees...

For surveillance, Rokarolla skips the usual MediaProjection screen casting ... and instead takes screenshots through Accessibility, compresses them to PNG, and ships them out one frame at a time.

The clipboard gets rewritten silently, swapping in attacker wallet addresses so a copied crypto payment lands in the wrong account.

This highly invasive malware is named after its command-and-control infrastructure... Researchers noted that the malware has 137 commands available to control the phone

Rokarolla pulls a target list from its server ... it downloads a fake HTML login page ... The malware carries multiple fallback C2 domains and can be handed new ones on the fly...

The malware carries multiple fallback C2 domains and can be handed new ones on the fly, so pulling a single server does little.

...takes screenshots through Accessibility, compresses them to PNG, and ships them out one frame at a time.

Once the malware is running, one of its commands turns Play Protect off.