A newly discovered Android banking trojan has been observed going beyond draining accounts, seizing near-total control of a phone and cutting victims off from their banks so fraud can run undetected.
Named Rokarolla after its command-and-control (C2) servers, the malware was detailed by zLabs, the research arm of mobile security firm Zimperium, which found it targeting 217 banking and cryptocurrency apps through a toolkit of 137 commands.
It spreads through malicious sites that masquerade as TikTok or Google Chrome, using a dropper that poses as Google Play Protect to slip a second-stage payload past Android’s defenses and onto the device.
“The Rokarolla trojan marks a shift from data theft to victim isolation,” explained Jason Soroko, senior fellow at certificate-management firm Sectigo, who described Rokarolla turning the phone into a weapon against its owner.
Read more: Android Malware Targets Banking Users Through Discord Channels
To keep that grip, Rokarolla makes itself the device’s default handler for calls and texts. It can block incoming calls and read or send SMS messages, letting it swallow the one-time codes and fraud alerts a bank would normally use to flag a suspect transfer.
It also mutes the phone’s audio and vibration to hide alert tones, hides its own icon from the app drawer and forces the screen to stay awake so its hidden activity is never interrupted.
Fake Screens and Stolen Logins
The theft leans on Accessibility Services, the Android feature for assistive apps, which Rokarolla abuses to read the screen and drive the interface. From there it harvests:
-
Banking and crypto logins, captured by fake overlay screens
-
Lock screen PINs, patterns and passwords
-
Keystrokes and on-screen text
-
SMS messages, including bank one-time codes
-
WhatsApp contacts, scraped from the display
When a victim opens a targeted app, the malware drops a convincing fake login page, fetched from its server, over the real one.
It can also rewrite the clipboard on the fly, swapping in an attacker’s cryptocurrency wallet address when the victim copies their own.
For surveillance, rather than streaming the screen live, Rokarolla quietly takes timestamped screenshots and exfiltrates them one by one. It also tries to disable Google Play Protect to keep itself hidden.
The campaign coincides with a substantial increase in mobile threats. Randolph Barr, CISO at API security firm Cequence Security, noted, “Android continues to face banking trojans and data-leaking SDKs,” citing tens of millions of mobile malware incidents blocked in 2024 alone.