217 banking and cryptocurrency applications are on Rokarolla’s target list — a sweeping reach for a single Android trojan that, according to mobile-security firm Zimperium, arrives disguised as legitimate apps and can seize near-complete control of an infected phone.
Infection chain: malicious sites offering Chrome or TikTok APKs
Zimperium’s report traces Rokarolla’s distribution to malicious websites that purport to provide the Google Chrome or TikTok apps. During installation the malicious package behaves as a dropper and impersonates Google Play Protect, offering users the choice to install Chrome or TikTok — both of which include the Rokarolla payload.
Once launched, the app requests Android Accessibility service permissions and asks for access to notifications, SMS, and calls — capabilities Zimperium says the malware abuses to bypass standard protections and to interact with the user interface at a higher level.
Capabilities: 137 commands and focused financial theft
Zimperium documents an extensive command set for Rokarolla — 137 commands in total — designed to harvest credentials and financial information. The malware checks every infected device against a list of 217 targeted banking and cryptocurrency applications and will download a phishing payload tailored to any matching app.
When a targeted app is opened, Rokarolla displays a fake login overlay to capture login credentials, credit card data and other financial inputs. Zimperium says the combination of overlays and the large command set indicates Rokarolla’s primary objective is theft of financial information.
Zimperium published a GitHub repository containing the full list of 137 commands. Among the data-theft and monitoring capabilities Zimperium highlights are:
- Steal SMS messages
- Extract contact information and WhatsApp contacts
- Capture keystrokes
- Record on-screen content via UI logging
- Copy and manipulate the clipboard contents
- Block incoming calls and bank fraud alerts
- Periodically take screenshots and upload them with timestamps
Evasion, persistence and device control
Zimperium’s analysis shows Rokarolla uses overlays not only to steal credentials but also to capture lock-screen PINs or patterns and to operate while the device is locked. Overlays are also used to hide malicious activity and to block user interaction by displaying fake installation screens when useful to the attacker.
Other evasion and persistence tactics documented by Zimperium include disabling Google Play Protect, hiding the application icon from the app drawer, silencing audio and vibration, and keeping the screen awake indefinitely. Together, these measures give operators near-complete administrative control over an infected device, Zimperium warns.
Command-and-control profiling and unique identifiers
Communication with Rokarolla’s command-and-control server begins with the malware sending a basic device profile. Zimperium lists the collected fields as phone model, installed Android version, locale, display characteristics, battery level, storage capacity, and available RAM. That information is used to generate a unique identifier for each victim in the campaign, the report says.
What this means for end users, security teams, and app stores
End users: Zimperium’s advisory includes practical cautions — avoid downloading APK files outside Google Play unless you explicitly trust the publisher, and exercise caution when granting Accessibility permissions, since they can be abused to bypass protections.
Security teams: Rokarolla’s layered approach — overlays, Accessibility abuse, broad command capabilities and C2 profiling — raises detection and response challenges. Zimperium’s findings dovetail with a statistic cited in the source material showing that security teams log 54% of successful attacks and alert on just 14%, underscoring how advanced malware can move unseen unless detection and incident-playbooks are exercised.
App stores and platform defenders: The malware was not found on Google Play, according to Zimperium. That fact shifts attention to external APK distribution channels and to educating users about fake installers and Play Protect impersonation used during setup.
Rokarolla’s combination of precise targeting (217 named apps), a massive command library (137 commands), and aggressive UI-level control highlights a persistent pattern: attackers increasingly stack privilege-escalation techniques that turn normal device features into attack surfaces. Zimperium’s report and GitHub repository provide concrete indicators and a command catalog defenders can use, while the simple mitigations the researchers recommend — avoid unvetted APKs and restrict Accessibility grants — remain immediate, actionable steps for users and defenders alike.
Read the full Zimperium-backed report at the original story: https://www.bleepingcomputer.com/news/security/new-rokarolla-android-malware-targets-217-banking-crypto-apps/
