New Rokarolla Android Malware Steals PINs, SMS Codes, and Crypto Wallets
Security researchers at Zimperium’s zLabs have written a new banking trojan for Android, Rokarollawhich targets 217 banking and cryptocurrency applications and packs 137 remote commands.
Together, they give the operator near complete control of the infected phone: it picks up the lock screen PIN, reads and sends SMS, rewrites the clipboard to redirect crypto payments, and disables Google Play Protect.
Rokarolla, named for its command and control servers, spreads through malicious websites impersonating popular apps like TikTok and Chrome.
The first thing the victim installs is a dropper that pretends to be Google Play Protect. It uses that encryption to embed the payload and intercept access. Once the malware is running, one of its commands disables Play Protect.
Stealing passes over the overlay. Rokarolla pulls the target list from its server, and for each application marked active, it downloads a fake HTML login page and stores it in a local database. When the victim opens a real bank or wallet app, the malware drops a fake page up and captures everything typed into it, including card details.
The report shows one such fake page mimics the banking app ‘imagin.’ A unique overlay simulates the Android lock screen to capture a PIN, pattern, or password, allowing the operator to control the phone even when it’s locked.
It reads every SMS on the device and can send messages itself, which is enough to hold the one-time SMS codes that banks use to allow access and transactions. By creating an automatic phone app for texts and calls, it can also block incoming calls, so that a warning call from the bank doesn’t come through.
The keylogger and screen logger record what the user types and sees, and the trojan scrapes contacts and reads notifications. The clipboard is quietly rewritten, swapping the attacker’s wallet addresses so that the copied crypto payment lands in the wrong account.
For monitoring, Rokarolla skips the standard MediaProjection screencast, which throws out the visual recording, and instead takes screenshots with ease, compresses them to PNG, and sends them one frame at a time. That snapshot method is simpler and quieter than the hidden live VNC seen in families like Klopatra.
The malware hosts multiple C2 backend domains and can be assigned new ones quickly, so pulling a single server does little. It’s 137 commands more than Zimperium’s 107 counted in the HOOK trojan, and the playbook is the same as the one running through the wave of 2026 Android banks: to download fake apps, exploit accessibility, and HTML overlays.
There is no pamphlet to include here. This is malware, not a product fault, so defenses are standard for Android bankers. Install apps only from Google Play, leave Play Protect on, and treat any unexpected access request as a red flag, as that one permission drives a whole chain of attacks.
Zimperium claims its own products are family-aware, and references to compromises are on its GitHub site.
Imperium did not commit Rokarolla to the named group. What the build shows is the intent: a banker integrated to overcome the specific protections users are told to rely on, from Play Protect to the lock screen.
