Rokarolla Android Trojan Targets 217 Banking and Crypto Apps
Zimperium’s zLabs has identified a new Android banking trojan, Rokarolla, that targets 217 banking and cryptocurrency applications and gives attackers broad control over infected devices through 137 remote commands. The malware is distributed via malicious websites impersonating popular apps such as TikTok and Chrome, then installs a secondary dropper disguised as Google Play Protect to obtain Accessibility permissions and deploy the payload. Researchers said Rokarolla steals credentials with fake overlays and phishing pages placed over legitimate financial apps and even the device lock screen, enabling theft of usernames, passwords, PINs, and SMS one-time codes.
Beyond financial theft, Rokarolla supports deep surveillance and device manipulation, including keylogging, screenshot and screen-log capture, contact and notification scraping, WhatsApp data theft, call suppression, sound muting, clipboard hijacking to reroute cryptocurrency transfers, and disabling Google Play Protect scans. Zimperium said the malware also uses multiple fallback command-and-control domains and a Pseudo-VNC capability to maintain resilient access and monitor victims in near real time, underscoring how Android banking trojans are evolving from credential theft into full device takeover that can bypass multi-factor authentication protections.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Zimperium zLabs identifies Rokarolla Android banking trojan
Zimperium’s zLabs researchers documented a new Android banking trojan named Rokarolla. The malware targets 217 banking and cryptocurrency applications, uses a fake Google Play Protect dropper and Accessibility abuse, and supports extensive fraud and surveillance capabilities including 137 remote commands.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Rokarolla Banking Trojan Targets 200 Applications - SecurityWeek
securityweek.com
Open sourceNew Rokarolla Android Trojan Targets 217 Banking and Crypto Apps - Security Affairs
securityaffairs.com
Open sourceHackers Use Rokarolla Android Malware to Disable Google Play Protect and Control Devices
cybersecuritynews.com
Open sourceRokarolla Android trojan targets banking and crypto users, enables device takeover - Help Net Security
helpnetsecurity.com
Open sourceRokarolla Android Banking Trojan Enables Device Takeover
bankinfosecurity.com
Open sourceRokarolla Android Trojan Levels Up to Full Device Control, Persistence
darkreading.com
Open sourceRokarolla Android Banking Trojan Enables Device Takeover
govinfosecurity.com
Open sourceNew Rokarolla Android malware targets 217 banking, crypto apps
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Four Android Banking Trojans Target 800+ Apps With MFA-Bypassing Overlays
Zimperium zLabs identified four Android malware families—**RecruitRat, SaferRat, Astrinox, and Massiv**—in active campaigns targeting users of more than **800 banking, cryptocurrency, and social media apps**. The malware is being spread through phishing sites, smishing messages, fake job application and streaming lures, counterfeit app-store pages, and bogus updates that trick victims into installing malicious APKs. Researchers said the campaigns rely heavily on overlay attacks, with fake login screens placed over legitimate apps to steal credentials; **RecruitRat** alone reportedly includes more than **700** fraudulent login pages. Once installed, the trojans abuse Android features including **Accessibility Services**, the **Session Installation API**, **MediaProjection**, overlays, and **WebView** to gain persistence, intercept SMS and one-time passwords, log keystrokes, enumerate apps, steal contacts, freeze screens, stream displays, and remotely control infected devices. The malware also uses anti-analysis techniques such as APK tampering, encrypted strings, reflection, dynamic DEX loading, and environment-aware execution, while command-and-control traffic is sent over HTTPS or WebSockets, with RecruitRat additionally using **RC4** encryption. Researchers warned the activity creates enterprise risk because infected employee devices can enable account takeover, bypass MFA, and expose corporate resources.
Apr 20, 2026
OverlayPhantom Android Trojan Targets 180+ Banking and Crypto Apps
Researchers identified **OverlayPhantom**, a previously undocumented Android banking trojan distributed through malicious URLs that impersonate trusted apps including Austria’s **ID Austria** and **TikTok**. The malware uses a two-stage infection chain: a dropper installs a payload disguised as **Google Play Services**, then abuses Android **Accessibility Service** to gain persistent control of the device. Investigators said the campaign has been active since early May 2025 and is aimed at large-scale financial fraud across Western markets. OverlayPhantom targets more than **180 banking, financial, and cryptocurrency applications** across **10 countries**, using embedded HTML overlay phishing pages to steal credentials and payment data. The malware also leverages Android’s **MediaProjection API** for near-real-time JPEG screen streaming and supports more than **30 remote commands**, including gesture simulation, clipboard manipulation, fake notifications, device locking, and PIN or password capture. Its command-and-control infrastructure was tied to `199.217[.]99[.]122`, using non-standard ports `9091`, `9092`, and `9090` for command execution, device reporting, and screen streaming.
Jun 1, 2026
Android Banking Trojan Masquerades as News and ID Apps to Steal Credentials and Crypto
A sophisticated Android banking Trojan, identified as Android/BankBot-YNRK, has been discovered targeting users primarily in Indonesia and potentially other Southeast Asian countries. The malware disguises itself as legitimate applications, including news readers and digital ID apps such as "Identitas Kependudukan Digital," to trick users into installation. Once installed, it leverages Android's accessibility features and device administrator privileges to gain extensive control over the device, allowing it to read on-screen content, simulate user actions, and overlay fake login screens on top of real banking and cryptocurrency apps to harvest credentials. The Trojan employs advanced evasion techniques, such as checking for emulators to avoid detection, obfuscating its code, and muting device notifications to operate stealthily. It connects to a remote command-and-control server to exfiltrate sensitive data, including banking credentials and cryptocurrency wallet keys, and can receive further instructions to update itself or erase traces. The malware's primary objective is financial theft, enabling attackers to drain victims' bank accounts and crypto wallets without their knowledge. Security researchers note that the malware's abuse of accessibility permissions is mitigated in Android 14, which requires explicit user approval for such access, but devices running Android 13 and earlier remain vulnerable.
Mar 21, 2026