Rokarolla Android Banking Trojan Blends Fraud with Full Device Surveillance

A newly discovered Android banking trojan has been observed going beyond draining accounts, seizing near-total control of a phone and cutting victims off from their banks so fraud can run undetected.

Named Rokarolla after its command-and-control (C2) servers, the malware was detailed by zLabs, the research arm of mobile security firm Zimperium, which found it targeting 217 banking and cryptocurrency apps through a toolkit of 137 commands. It spreads through malicious sites that masquerade as TikTok or Google Chrome, using a dropper that poses as Google Play Protect to slip a second-stage payload past Android's defenses and onto the device.

"The Rokarolla trojan marks a shift from data theft to victim isolation," explained Jason Soroko, senior fellow at certificate-management firm Sectigo, who described Rokarolla turning the phone into a weapon against its owner.

To keep that grip, Rokarolla makes itself the device's default handler for calls and texts. It can block incoming calls and read or send SMS messages, letting it swallow the one-time codes and fraud alerts a bank would normally use to flag a suspect transfer. It also mutes the phone's audio and vibration to hide alert tones, hides its own icon from the app drawer and forces the screen to stay awake so its hidden activity is never interrupted.

The theft leans on Accessibility Services, the Android feature for assistive apps, which Rokarolla abuses to read the screen and drive the interface. From there it harvests banking and crypto logins captured by fake overlay screens, lock screen PINs, patterns and passwords, keystrokes and on-screen text, SMS messages including bank one-time codes, and even WhatsApp contacts scraped from the display.

When a victim opens a targeted app, the malware drops a convincing fake login page fetched from its server over the real one. It can also rewrite the clipboard on the fly, swapping in an attacker's cryptocurrency wallet address when the victim copies their own. For surveillance, rather than streaming the screen live, Rokarolla quietly takes timestamped screenshots and exfiltrates them one by one. It also tries to disable Google Play Protect to keep itself hidden.

The campaign coincides with a substantial increase in mobile threats. Randolph Barr, CISO at API security firm Cequence Security, noted, "Android continues to face banking trojans and data-leaking SDKs," citing tens of millions of mobile malware incidents blocked in 2024 alone.

Rokarolla underscores the growing sophistication of mobile malware that combines credential theft, SMS interception, and device surveillance into a single attack. The dual threat — financial fraud and privacy invasion — poses significant risks to users in Europe and Latin America, where the campaign appears concentrated.

The Hacker News report adds new technical detail: the trojan not only launches overlay attacks and intercepts SMS but also actively disables Google Play Protect to evade defenses, and it hijacks clipboard data to redirect cryptocurrency payments to attacker-controlled wallets. The 137 remote commands give operators near-total device control, including the ability to capture lock-screen PINs in real time.

Zimperium's follow-up report on Rokarolla reveals the trojan now uses a sophisticated suite of 137 commands to achieve full device control and persistence, going beyond the earlier described overlay and SMS interception. The updated malware deploys fake TikTok and Chrome download sites, actively disables Google Play Protect, suppresses all device audio and vibrations to hide fraud activity, and employs dynamic C2 updates with multiple fallback domains to resist takedowns. The extensive command set includes harvesting lock screen credentials, keylogging, blocking incoming calls, and deploying fraudulent screen overlays that render the device nearly unusable by the owner while intercepting bank alerts.