Rokarolla malware hijacks 217 banking, crypto apps

Security researchers have uncovered a sophisticated Android malware campaign distributing a trojan named Rokarolla. The malware is designed to extract financial data from users by targeting over two hundred banking and cryptocurrency applications through deceptive overlays and extensive device control capabilities.

The Rokarolla trojan spreads via malicious websites that mimic legitimate app downloads, specifically posing as Google Chrome or TikTok installers. Once installed, the malware disguises itself as Google Play Protect, Android’s built-in security feature, to gain user trust during the setup process. This social engineering tactic is critical for obtaining the permissions necessary to execute its payload.

How the malware operates

Rokarolla begins its attack by requesting Accessibility service permissions, along with access to notifications, SMS, and call logs. These permissions allow the malware to interact with the device’s user interface, monitor user activity, and bypass standard security protections. Upon installation, it sends a detailed device profile to its command-and-control (C2) server, including hardware specifications, Android version, and system settings. This data is used to generate a unique identifier for each infected device, enabling targeted attacks.

The trojan checks the infected device against a predefined list of 217 financial applications, including banking and cryptocurrency platforms. When a targeted app is launched, Rokarolla deploys a fake login overlay to capture credentials, credit card details, and other sensitive information. These overlays are also used to steal lock-screen PINs or patterns, effectively granting the malware persistent access to the device even when locked. Additionally, the malware employs evasion techniques such as disabling Google Play Protect, hiding its app icon, and suppressing audio or vibration alerts to avoid detection.

Impact on users and businesses

Rokarolla’s capabilities extend beyond credential theft. The malware can record keystrokes, capture screenshots, and manipulate clipboard contents, providing attackers with near-complete control over the infected device. It can also block incoming calls and fraud alerts, further complicating efforts to mitigate financial losses. The combination of these features makes Rokarolla a potent tool for advanced financial fraud, particularly against users who rely on mobile banking or cryptocurrency applications.

For businesses, the emergence of Rokarolla underscores the growing sophistication of mobile malware targeting financial services. The trojan’s ability to bypass security measures like Google Play Protect highlights the limitations of relying solely on built-in Android protections. Organizations that support mobile banking or cryptocurrency transactions should prioritize user education on the risks of sideloading apps and the dangers of granting excessive permissions, particularly for Accessibility services.

Mitigation and recommendations

Zimperium, the mobile security firm that analyzed Rokarolla, confirmed the malware has not been found on Google Play. However, its distribution via third-party websites poses a significant risk to users who download APK files from untrusted sources. To reduce exposure, users should avoid sideloading apps unless they explicitly trust the publisher and verify the authenticity of download sources. Additionally, caution should be exercised when granting Accessibility permissions, as these can be exploited to bypass security controls and automate malicious actions.

Security teams are advised to review Zimperium’s GitHub repository, which documents all 137 commands used by Rokarolla. This resource can aid in developing detection signatures and understanding the malware’s full range of capabilities. Regular security awareness training for employees and customers can also help mitigate the risk of infection, particularly in organizations where mobile devices are used for financial transactions.