A new Android trojan called Rokarolla targets 217 banking apps and can steal your PIN, SMS codes, and crypto wallet funds

Zimperium found Rokarolla, an Android trojan targeting 217 banking apps with 137 commands. It steals PINs, intercepts SMS, and hijacks crypto payments.

Security researchers at Zimperium’s zLabs have documented a new Android banking trojan that targets 217 banking and cryptocurrency applications and carries 137 remote commands, giving an operator near-total control of an infected phone. The malware, which Zimperium calls Rokarolla after its command-and-control infrastructure, can steal lock-screen PINs, read and send SMS messages, rewrite the clipboard to redirect cryptocurrency payments, and disable Google Play Protect.

Rokarolla spreads through malicious websites that impersonate popular applications such as TikTok and Chrome. The first thing a victim installs is a dropper disguised as Google Play Protect, which uses that masquerade to install the main payload and obtain Accessibility access. Once running, one of the trojan’s first commands turns Play Protect off, removing the primary automated defence most Android users rely on.

The financial theft works through overlays. Rokarolla pulls a target list from its server, and for each banking or wallet app flagged as active, it downloads a fake HTML login page and stores it in a local database. When the victim opens the legitimate app, the malware drops the counterfeit page on top and captures everything typed into it, including card details and login credentials.

A separate overlay mimics the Android lock screen to harvest the device’s PIN, pattern, or password, which lets the operator issue commands even while the phone is locked. The trojan reads every SMS on the device and can send messages itself, which is sufficient to intercept the one-time codes banks use to authorise transactions. By making itself the default handler for texts and calls, it can also block incoming calls, preventing fraud alert notifications from reaching the user.

A workspace designed for growth, collaboration, and endless networking opportunities in the heart of tech.

A keylogger and screen logger record what the user types and sees, while the trojan scrapes contacts and reads notifications. The clipboard is rewritten silently, swapping in attacker-controlled wallet addresses so a copied cryptocurrency payment lands in the wrong account. For surveillance, Rokarolla skips the usual MediaProjection screen-casting method, which throws a visible recording prompt, and instead takes screenshots through Accessibility, compresses them to PNG, and ships them out one frame at a time.

Zimperium did not attribute Rokarolla to a named