Rokarolla Android Trojan Turns Infected Phones Into Fully Controlled Banking and Crypto Theft Devices

Security researchers at Zimperium’s zLabs team have discovered a new Android banking trojan named Rokarolla, designed to conduct large-scale financial fraud and full device surveillance. The malware is named after its command-and-control infrastructure used to remotely control infected devices.

According to researchers, Rokarolla is particularly dangerous because it targets 217 banking and cryptocurrency applications while also enabling near-total control over infected Android phones.

Infection and Delivery Method

The attack begins when users visit malicious websites, such as infocontablidades.it.com, which host disguised malware files. These files are presented as legitimate applications like TikTok or Google Chrome to trick users into downloading them.

Once installed, a secondary dropper activates. This dropper is disguised as a fake Google Play Protect security tool and is responsible for installing the main malicious payload.

After installation, the malware requests access to Android Accessibility Services, which allows it to monitor screen activity, track user interactions, and gain deep system control. It also attempts to set itself as the default SMS handler and call manager to intercept communications.

Financial Fraud and Phishing Techniques

Rokarolla uses advanced overlay attacks to steal financial credentials. When a user opens a legitimate banking or crypto app, the malware contacts its command server and loads a fake HTML-based login page on top of the real application.

It can also display fake PIN prompts over the device lock screen, tricking users into entering sensitive credentials outside secure environments.

Full Device Takeover Capabilities

Researchers report that Rokarolla contains 137 remote commands that allow attackers to fully control infected devices. These commands enable:

• Keylogging and screen monitoring
• SMS and WhatsApp data theft
• Screenshot capture and clipboard interception
• Real-time UI tracking of user actions

The malware uses a Pseudo-VNC system that continuously captures screen snapshots, giving attackers live visual access to the device without detection.

One of its most dangerous features is clipboard hijacking, where it silently replaces copied cryptocurrency wallet addresses during transactions, redirecting funds to attacker-controlled accounts.

Evasion and Persistence

To avoid detection, Rokarolla disables security alerts, blocks incoming calls, and mutes device sounds to prevent users from noticing fraud alerts from banks.

It also disables Google Play Protect, prevents security scans, and keeps the screen active continuously so its background processes remain uninterrupted.

Growing Mobile Threat Concerns

Security experts warn that Rokarolla reflects a broader trend in mobile malware evolution, shifting from simple data theft to full device compromise. By controlling communication channels like SMS and calls, attackers can bypass multi-factor authentication systems and other security protections.

Experts also highlight that mobile threats are increasing rapidly, with millions of social engineering attacks, malware infections, and phishing attempts targeting smartphones each year.

The trojan highlights not only risks to individual users but also to organizations, as employer verification systems and APIs can become additional attack surfaces if compromised.