Blab Crypto
Zimperiums zLabs Uncovers Rokarolla, New Android Banking Trojan Targeting 217 Financial Apps
Security researchers at Zimperium’s zLabs have identified a new Android banking trojan, named Rokarolla, that targets 217 banking and cryptocurrency applications. The malware is equipped with 137 remote commands that give an operator near‑total control over an infected device.
Rokarolla’s primary functions include lifting lock‑screen PINs, reading and forwarding SMS messages, rewriting the clipboard to redirect cryptocurrency payments, and disabling the Google Play Store. The trojan is delivered via a dropper that downloads a fake HTML login page for each targeted app and stores it locally.
The trojan’s design follows a pattern common to recent Android banking malware. Once installed, it requests accessibility permissions and, if granted, can intercept user input across the device. By capturing PINs and SMS verification codes, the attacker can authenticate to banking and crypto services. Clipboard manipulation allows the trojan to replace legitimate transaction data with fraudulent instructions, effectively hijacking cryptocurrency transfers.
Zimperium’s analysis shows that Rokarolla pulls its target list from a remote server. For each active application, the trojan downloads a custom login page that mimics the legitimate app’s interface. When a user enters credentials, the trojan records the information and forwards it to the attacker’s command‑and‑control infrastructure. The 137 remote commands include functions such as disabling Google Play, which prevents the user from installing security updates or new protective apps.
Android banking trojans have been a persistent threat since the early 2010s. Recent examples include DoubleTrouble, which spreads through Discord, and GodFather, which targets over 400 apps across multiple countries. Rokarolla adds to this growing list, demonstrating that attackers continue to refine their techniques to bypass newer operating‑system restrictions and exploit user trust.
The impact of Rokarolla is significant for both individual users and the broader financial ecosystem. By targeting a large number of banking and crypto apps, the trojan increases the attack surface for financial fraud. The ability to intercept PINs and SMS codes means that attackers can potentially access accounts without the user’s knowledge. Clipboard hijacking further expands the threat to include unauthorized cryptocurrency transfers.
Mitigation strategies remain largely the same as for other mobile malware. Users should avoid sideloading applications from unverified sources, keep their operating system and apps up to date, and use reputable security solutions that monitor for suspicious behavior. Mobile security vendors can incorporate Rokarolla’s signatures into their detection engines, and app developers can implement additional verification steps, such as two‑factor authentication that is not solely reliant on SMS.
Zimperium’s report does not yet detail whether Rokarolla has been observed in the wild or if it is still in a testing phase. The research team continues to monitor the trojan’s command‑and‑control infrastructure for activity. As Android 16 and subsequent updates roll out, developers and security researchers will need to assess whether new platform protections can mitigate the trojan’s techniques.
In summary, Rokarolla represents a sophisticated addition to the catalog of Android banking trojans. Its broad target list, extensive command set, and ability to intercept critical authentication data underscore the ongoing risk to mobile financial services. Users, developers, and security vendors should remain vigilant and prepare defenses against this emerging threat.
Rokarolla’s primary functions include lifting lock‑screen PINs, reading and forwarding SMS messages, rewriting the clipboard to redirect cryptocurrency payments, and disabling the Google Play Store. The trojan is delivered via a dropper that downloads a fake HTML login page for each targeted app and stores it locally.
The trojan’s design follows a pattern common to recent Android banking malware. Once installed, it requests accessibility permissions and, if granted, can intercept user input across the device. By capturing PINs and SMS verification codes, the attacker can authenticate to banking and crypto services. Clipboard manipulation allows the trojan to replace legitimate transaction data with fraudulent instructions, effectively hijacking cryptocurrency transfers.
Zimperium’s analysis shows that Rokarolla pulls its target list from a remote server. For each active application, the trojan downloads a custom login page that mimics the legitimate app’s interface. When a user enters credentials, the trojan records the information and forwards it to the attacker’s command‑and‑control infrastructure. The 137 remote commands include functions such as disabling Google Play, which prevents the user from installing security updates or new protective apps.
Android banking trojans have been a persistent threat since the early 2010s. Recent examples include DoubleTrouble, which spreads through Discord, and GodFather, which targets over 400 apps across multiple countries. Rokarolla adds to this growing list, demonstrating that attackers continue to refine their techniques to bypass newer operating‑system restrictions and exploit user trust.
The impact of Rokarolla is significant for both individual users and the broader financial ecosystem. By targeting a large number of banking and crypto apps, the trojan increases the attack surface for financial fraud. The ability to intercept PINs and SMS codes means that attackers can potentially access accounts without the user’s knowledge. Clipboard hijacking further expands the threat to include unauthorized cryptocurrency transfers.
Mitigation strategies remain largely the same as for other mobile malware. Users should avoid sideloading applications from unverified sources, keep their operating system and apps up to date, and use reputable security solutions that monitor for suspicious behavior. Mobile security vendors can incorporate Rokarolla’s signatures into their detection engines, and app developers can implement additional verification steps, such as two‑factor authentication that is not solely reliant on SMS.
Zimperium’s report does not yet detail whether Rokarolla has been observed in the wild or if it is still in a testing phase. The research team continues to monitor the trojan’s command‑and‑control infrastructure for activity. As Android 16 and subsequent updates roll out, developers and security researchers will need to assess whether new platform protections can mitigate the trojan’s techniques.
In summary, Rokarolla represents a sophisticated addition to the catalog of Android banking trojans. Its broad target list, extensive command set, and ability to intercept critical authentication data underscore the ongoing risk to mobile financial services. Users, developers, and security vendors should remain vigilant and prepare defenses against this emerging threat.
