Zimperium researchers have identified an Android banking trojan that targets 217 banking and cryptocurrency apps and can help attackers manipulate infected phones during fraud attempts.
The malware, called Rokarolla, is distributed through malicious websites that present it as popular apps, including TikTok and Google Chrome. Zimperium said the infection process also uses a fake Google Play Protect update to install a secondary payload, turning Android’s own security language into part of the lure.
The researchers said Rokarolla goes beyond traditional credential theft by giving attackers tools to control infected devices, suppress warnings, and manipulate banking or cryptocurrency sessions as they unfold.
A security update becomes the lure
Rokarolla relies on a familiar social-engineering tactic: disguising a malicious download as something routine.
After the initial download, victims are prompted to install what appears to be a Google Play Protect update, making the malware look like part of Android’s own security system.
Zimperium said Rokarolla abuses Android Accessibility Services, a feature intended to help users interact with their devices. That access can be misused to read screen content, automate actions, and interact with apps on behalf of the user.
The malware also requests access to SMS messages and notifications, giving attackers visibility into authentication codes and alerts that financial institutions may send during login or transaction attempts.
Once active, Rokarolla communicates with its command-and-control infrastructure and assigns each infected device a unique bot ID. Zimperium said the malware also uses fallback domains that can be updated remotely, helping operators maintain access if part of their infrastructure is disrupted.
Overlays target phone locks and bank logins
One of Rokarolla’s most significant capabilities is its ability to capture the victim’s device unlock credentials.
Zimperium said the malware can display a fake Android lock screen over the real one. When the victim enters a PIN, pattern or password, the malware captures the credential and sends it to the attacker.
The same overlay technique is used against financial apps. Rokarolla retrieves a live target list covering 217 banking and cryptocurrency applications, then displays fake HTML login screens when victims open legitimate apps on their phones. The page may look like a legitimate bank or cryptocurrency login screen, but it is a phishing form designed to collect credentials in real time.
The malware can also intercept SMS-based one-time passcodes, according to Zimperium. That capability can help attackers complete fraudulent logins or transactions after stealing the victim’s username and password.
Suppressing fraud warnings
Rokarolla’s capabilities also extend to suppressing warnings that might alert a victim to fraud.
Zimperium said the malware can block or intercept incoming calls, mute audio and vibration, hide its app icon, force the screen to remain on, and disable Google Play Protect. Together, those capabilities could help Rokarolla interfere with the same channels banks and other financial services use to warn customers about suspicious activity.
“This strategy traps the user in an environment in which the attacker dictates what information enters or leaves the device,” said Jason Soroko, Senior Fellow at Sectigo.
Surveillance after the initial theft
The malware’s capabilities continue beyond the initial credential theft.
Zimperium said Rokarolla can log keystrokes, capture screenshots silently, monitor on-screen content, and extract WhatsApp contact data through screen parsing. The malware can also manipulate clipboard contents, a tactic that can be used to replace copied cryptocurrency wallet addresses with attacker-controlled addresses.
That creates risks beyond a single banking session. A compromised device may expose additional credentials, contacts, and financial activity, giving attackers more opportunities for fraud or follow-on social engineering.
Fraud risk shifts to the customer’s device
Rokarolla reflects a broader challenge for banks, cryptocurrency platforms, and mobile security teams because the customer’s phone is now a major fraud target. Attackers can use malware on the device to collect login credentials, intercept authentication codes, and suppress alerts without directly breaching the financial institution. That shifts part of the security burden to the mobile endpoint, where users may not recognize malicious prompts or abnormal permission requests.
“Hackers avoid breaching bank networks by commandeering the hardware that victims use to manage funds,” Soroko said.
For organizations, the report highlights the limits of relying only on passwords, SMS codes, or user-visible fraud alerts. If the device receiving those alerts is compromised, attackers may be able to interfere with the very systems meant to stop them.
For users, the warning signs are familiar but easy to overlook. Unexpected prompts to install updates outside official app stores, fake Google Play Protect screens, and apps requesting Accessibility, SMS, notification, or call-control permissions should all be treated with caution.
Zimperium said defenses should look for malicious behavior on the device, including abuse of Accessibility Services, overlay attacks, suspicious SMS access, and attempts to disable security controls.
