A new Android trojan called Rokarolla targets 217 banking apps and can steal your PIN, SMS codes, and crypto wallet funds

TL;DRZimperium found Rokarolla, an Android trojan targeting 217 banking apps with 137 commands. It steals PINs, intercepts SMS, and hijacks crypto payments.

Security researchers at Zimperium’s zLabs have documented a new Android banking trojan that targets 217 banking and cryptocurrency applications and carries 137 remote commands, giving an operator near-total control of an infected phone. The malware, which Zimperium calls Rokarolla after its command-and-control infrastructure, can steal lock-screen PINs, read and send SMS messages, rewrite the clipboard to redirect cryptocurrency payments, and disable Google Play Protect.

Rokarolla spreads through malicious websites that impersonate popular applications such as TikTok and Chrome. The first thing a victim installs is a dropper disguised as Google Play Protect, which uses that masquerade to install the main payload and obtain Accessibility access. Once running, one of the trojan’s first commands turns Play Protect off, removing the primary automated defence most Android users rely on.

The financial theft works through overlays. Rokarolla pulls a target list from its server, and for each banking or wallet app flagged as active, it downloads a fake HTML login page and stores it in a local database. When the victim opens the legitimate app, the malware drops the counterfeit page on top and captures everything typed into it, including card details and login credentials.