New Rokarolla Android Malware Steals PINs, SMS Codes, and Crypto Wallet Funds

Summary

A new Android banking trojan named Rokarolla has been discovered by Zimperium's zLabs. It targets 217 banking and cryptocurrency apps with 137 remote commands, allowing operators to steal lock-screen PINs, intercept SMS messages, and redirect crypto payments by rewriting the clipboard. The malware spreads via malicious websites and uses overlays to mimic legitimate apps and the lock screen, capturing sensitive user data.

Full text

New Rokarolla Android Malware Steals PINs, SMS Codes, and Crypto Wallet Funds Swati KhandelwalJun 16, 2026Mobile Security / Malware Security researchers at Zimperium's zLabs have documented a new Android banking trojan, Rokarolla, that targets 217 banking and cryptocurrency apps and packs 137 remote commands. Together, they give an operator near-total control of an infected phone: it lifts lock-screen PINs, reads and sends SMS, rewrites the clipboard to redirect crypto payments, and switches off Google Play Protect. Rokarolla, named after its command-and-control servers, spreads through malicious websites posing as well-known apps such as TikTok and Chrome. The first thing a victim installs is a dropper that pretends to be Google Play Protect. It uses that disguise to get the payload installed and grab Accessibility access. Once the malware is running, one of its commands turns Play Protect off. The theft runs through overlays. Rokarolla pulls a target list from its server, and for each app flagged active, it downloads a fake HTML login page and stores it in a local database. When the victim opens the real banking or wallet app, the malware drops the fake page on top and captures everything typed into it, card details included. The report shows one such fake page mimicking the banking app 'imagin.' A separate overlay mimics the Android lock screen to capture the PIN, pattern, or password, which lets the operator control the phone even while it is locked. It reads every SMS on the device and can send messages itself, which is enough to grab the SMS one-time codes banks use to approve logins and transactions. By making itself the phone's default app for texts and calls, it can also block incoming calls, so a warning call from the bank never gets through. A keylogger and screen logger record what the user types and sees, and the trojan scrapes contacts and reads notifications. The clipboard gets rewritten silently, swapping in attacker wallet addresses so a copied crypto payment lands in the wrong account. For surveillance, Rokarolla skips the usual MediaProjection screen casting, which throws a visible recording prompt, and instead takes screenshots through Accessibility, compresses them to PNG, and ships them out one frame at a time. That snapshot approach is simpler and quieter than the live hidden VNC seen in families like Klopatra. The malware carries multiple fallback C2 domains and can be handed new ones on the fly, so pulling a single server does little. It's 137 commands outnumber the 107 Zimperium counted in the HOOK trojan, and the playbook is the same one running through a wave of 2026 Android bankers: fake-app droppers, Accessibility abuse, and HTML overlays. There is no patch to apply here. This is malware, not a product flaw, so the defenses are the standard ones for Android bankers. Install apps only from Google Play, leave Play Protect on, and treat any unexpected Accessibility request as a red flag, since that one permission drives the whole attack chain. Zimperium says its own products detect the family, and the indicators of compromise are in its GitHub repository. Zimperium did not tie Rokarolla to a named group. What the build shows is intent: a banker put together to beat the exact protections users are told to rely on, from Play Protect down to the lock screen. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Android, banking Trojan, cryptocurrency, Google Play Protect, keylogger, Malware, Zimperium ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

• malware — Rokarolla

Entities