Rokarolla Android Trojan Hits 217 Banking and Crypto Apps with 137 Remote Commands

Zimperium's zLabs researchers have identified a new Android banking trojan dubbed Rokarolla, which targets 217 banking and cryptocurrency applications and packs 137 remote commands. The malware grants operators near-total control over infected devices.

Rokarolla's capability set includes lifting lock-screen PINs, reading and sending SMS messages, rewriting clipboard contents to redirect cryptocurrency payments, and disabling Google Play Protect. The breadth of targeted apps and commands suggests a well-resourced threat actor behind the campaign.

Technical analysis reveals the trojan employs overlay attacks to capture credentials and two-factor authentication codes. By hijacking the clipboard, it can modify crypto wallet addresses pasted by victims, redirecting funds to attacker-controlled wallets. The 137 remote commands allow operators to dynamically control infected devices in real-time.

While specific CVEs and CVSS scores were not disclosed, Zimperium's findings indicate active exploitation. Users are advised to avoid sideloading apps from untrusted sources and keep Google Play Protect enabled. Google Play Protect should detect Rokarolla if active, as the malware explicitly attempts to disable it.

The researchers did not attribute Rokarolla to any specific threat group. The trojan's sophistication and focus on financial and cryptocurrency apps place it within a growing ecosystem of Android malware targeting digital assets and banking credentials.