- A new Android banking trojan named Rokarolla targets 217 banking and cryptocurrency applications.
- It uses sophisticated overlay attacks and 137 remote commands to gain near-total control of infected devices, stealing login credentials and redirecting cryptocurrency payments.
- The malware disables Google Play Protect and spreads through malicious websites posing as popular apps like TikTok and Chrome.
Security researchers at Zimperium‘s zLabs documented a new Android banking trojan in June 2026, according to their report. This malware, named Rokarolla, is designed to target 217 banking and cryptocurrency apps using 137 remote commands for complete device control. It spreads via malicious websites disguised as well-known applications.
Once installed, a dropper disguised as Google Play Protect grants the malware Accessibility permissions. Consequently, Rokarolla can then disable Play Protect and execute its extensive attack toolkit. The theft primarily occurs through HTML overlay attacks on legitimate financial apps.
For each targeted app, the malware downloads a fake login page from its server. When a victim opens the real app, this overlay captures everything typed, including card details. A separate overlay mimics the Android lock screen to steal the device’s PIN, pattern, or password.
The trojan also reads and sends SMS messages, allowing it to intercept one-time banking codes. Meanwhile, it rewrites the clipboard to swap cryptocurrency wallet addresses and redirect payments. For surveillance, it uses Accessibility services to take silent screenshots instead of triggering visible recording prompts.
The malware’s capabilities, detailed in the company’s GitHub repository, outnumber earlier threats like the HOOK trojan. There is no software patch, as this is malware, not a product flaw. Therefore, standard defenses like installing apps only from Google Play and scrutinizing Accessibility requests are critical.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
