Rokarolla targets 217 banking and cryptocurrency apps and packs 137 remote commands, according to Zimperium's zLabs — a combination the researchers say gives an operator near-total control of an infected phone.
Rokarolla's scope and intent, as reported by Zimperium
Security researchers at Zimperium's zLabs documented a new Android banking trojan they named Rokarolla. Zimperium says the family targets 217 banking and cryptocurrency apps and implements 137 remote commands. The company did not tie Rokarolla to a named group; instead, Zimperium writes that "what the build shows is intent: a banker put together to beat the exact protections users are told to rely on, from Play Protect down to the lock screen."
Installation and disguise: the Play Protect dropper
Rokarolla spreads through malicious websites that pose as well-known apps such as TikTok and Chrome. The first component a victim installs is a dropper that masquerades as Google Play Protect. That disguise is used both to install the payload and to request Accessibility access — the permission Zimperium calls "the one permission [that] drives the whole attack chain." Once the malware is running, one of its commands can turn Play Protect off.
Data theft techniques: overlays, lock-screen capture, SMS and clipboard manipulation
The core theft mechanism is HTML overlays. Rokarolla pulls a target list from its command-and-control server and, for each flagged app, downloads a fake HTML login page that it stores in a local database. When the victim opens the targeted banking or wallet app, the trojan drops the fake page on top and captures everything typed into it, including card details — Zimperium illustrates this with an overlay that mimics the banking app "imagin."
Rokarolla also deploys a separate overlay that imitates the Android lock screen to capture PINs, patterns, or passwords, allowing an operator to control the device even when it is locked. The malware reads every SMS on the device and can send messages itself, which Zimperium notes is sufficient to steal one-time SMS codes banks use to approve logins and transactions. By making itself the phone's default app for texts and calls, Rokarolla can block incoming calls so a bank's warning call never reaches the user.
Other local exfiltration tools include a keylogger and screen logger that record input and what the user sees, scraping of contacts and notifications, and silent clipboard rewriting that swaps in attacker wallet addresses so copied crypto payments land in attacker-controlled accounts.
Command-and-control, surveillance, and resilience
Rokarolla uses multiple fallback command-and-control domains and can be handed new domains on the fly, reducing the impact of seizing a single server. For surveillance, it avoids the visible MediaProjection screen-casting prompt and instead takes screenshots through Accessibility, compresses them to PNG, and exfiltrates them one frame at a time — a snapshot approach Zimperium describes as "simpler and quieter" than the live hidden VNC used by other families. Zimperium contrasts Rokarolla's 137 remote commands with 107 commands Zimperium counted in the HOOK trojan, and places Rokarolla's techniques in the same 2026 playbook of fake-app droppers, Accessibility abuse, and HTML overlays.
There is no software patch to apply: Zimperium calls this malware, not a product flaw. The firm says its own products detect the family and that indicators of compromise are available in its GitHub repository.
What this means for technologists, end users, and adversaries
- Technologists and security teams: watch for indicators of compromise published by Zimperium in its repository, monitor for apps requesting unexpected Accessibility access, and look for signs of overlay pages, clipboard replacement, and changes to default SMS/call handlers.
- End users and the general public: follow Zimperium's recommended defenses — install apps only from Google Play, leave Play Protect enabled, and treat any unexpected Accessibility request as a red flag, since that permission enables the trojan's core functions.
- Adversaries and threat actors: Rokarolla demonstrates a tested playbook — fake-app droppers, Accessibility abuse, HTML overlays — that has been used through the 2026 wave of Android bankers and that emphasizes bypassing Play Protect and lock-screen protections.
Rokarolla's design — a dropper posing as Play Protect, overlays that mimic real apps and the lock screen, SMS interception, clipboard hijacking, quiet screenshot exfiltration, and a broad command set — makes clear what Zimperium describes as the malware's aim: to defeat the user-facing protections people are told to rely on. The immediate defensive steps are behavioral and procedural rather than a patchable bug; Zimperium's detection and indicators are the available technical countermeasures it points to today.
