Full Report
Security researchers at Zimperium's zLabs have documented a new Android banking trojan, Rokarolla, that targets 217 banking and cryptocurrency apps and packs 137 remote commands. Together, they give an operator near-total control of an infected phone: it lifts lock-screen PINs, reads and sends SMS, rewrites the clipboard to redirect crypto payments, and switches off Google Play
Analysis Summary
# Tool/Technique: Rokarolla Android Banking Trojan
## Overview
Rokarolla is a sophisticated Android banking trojan documented by Zimperium's zLabs. It is designed for complete device takeover, specifically targeting financial and cryptocurrency applications. The malware utilizes a command-and-control (C2) architecture to execute a wide array of remote instructions, enabling data theft and financial fraud.
## Technical Details
- **Type:** Malware Family (Banking Trojan)
- **Platform:** Android
- **Capabilities:** Overlay attacks, SMS interception, Accessibility Service abuse, screen logging, keylogging, and clipboard manipulation.
- **First Seen:** Reported June 2026
## MITRE ATT&CK Mapping
- **[TA0030 - Initial Access]**
- [T1475 - Drive-by ITW] (Distribution via malicious websites mimicking popular apps)
- **[TA0031 - Execution]**
- [T1204.001 - User Execution: Malicious Link]
- **[TA0032 - Persistence]**
- [T1542.001 - Boot or Logon Autostart Execution]
- **[TA0034 - Privilege Escalation]**
- [T1628 - Abuse Accessibility Features]
- **[TA0035 - Defense Evasion]**
- [T1624.001 - Disable or Modify Tools: Google Play Protect]
- [T1406 - Obfuscation]
- **[TA0037 - Credential Access]**
- [T1417.001 - Input Injection: Overlay Rappel]
- [T1417.002 - Input Capture: Keylogging]
- **[TA0040 - Impact]**
- [T1458 - Financial Theft]
## Functionality
### Core Capabilities
- **Overlay Attacks:** Downloads app-specific HTML login pages and displays them over legitimate banking and crypto apps to steal credentials and card details.
- **SMS Interception:** Reads and sends SMS messages to intercept one-time passwords (OTPs) and multi-factor authentication (MFA) codes.
- **Accessibility Abuse:** Uses Android's Accessibility Services to gain broad permissions, bypass security prompts, and navigate the UI automatically.
- **Lock Screen Theft:** Mimics the Android lock screen to capture PINs, patterns, or passwords.
### Advanced Features
- **Stealthy Surveillance:** captures screenshots via Accessibility Services (converting them to PNG) rather than using the MediaProjection API, which avoids displaying the standard Android recording notification.
- **Clipboard Hijacking:** Automatically replaces copied cryptocurrency wallet addresses with attacker-controlled addresses.
- **Communication Manipulation:** Sets itself as the default SMS and dialer application to block incoming calls from financial institutions.
- **Extensive Command Set:** Supports 137 remote commands, exceeding many contemporary banking trojans.
## Indicators of Compromise
- **File Hashes:** Specific hashes (MD5/SHA256) are maintained in Zimperium’s public GitHub IOC repository.
- **File Names:** Often disguised as "Google Play Protect," "TikTok," or "Chrome."
- **Network Indicators:**
- `rokarolla[.]com` (Example of the namesake C2 server pattern)
- Various fallback domains provided by the C2 infrastructure.
- **Behavioral Indicators:**
- Unexpected requests for "Accessibility Services."
- Disabling of Google Play Protect.
- Changes to the default SMS or Phone application handler.
## Associated Threat Actors
- No specific named threat group has been publicly attributed to the Rokarolla family at this time.
## Detection Methods
- **Signature-based detection:** Antivirus (AV) and Mobile Threat Defense (MTD) solutions can scan for known hashes of the Rokarolla dropper and payload.
- **Behavioral detection:** Monitoring for unauthorized Accessibility Service activation and attempts to disable Play Protect or modify security settings.
- **YARA rules:** Detection rules focusing on the specific HTML overlay structures and the keylogging modules used by the malware.
## Mitigation Strategies
- **App Integrity:** Only install applications from the official Google Play Store.
- **Security Settings:** Ensure Google Play Protect is enabled and remain vigilant of any application attempting to disable it.
- **Permission Management:** Treat any request for "Accessibility Services" from non-essential apps as a high-risk indicator and deny the request.
- **Multi-Factor Authentication:** Use hardware security keys or authenticator apps rather than SMS-based MFA where possible.
## Related Tools/Techniques
- **HOOK Trojan:** A similar Android banker known for its large command set and ransomware capabilities.
- **Klopatra:** Another Android trojan that utilizes VNC for screen control; Rokarolla is compared to this but uses a quieter screenshot-based approach.
- **Accessibility Service Abuse:** A common technique used by various Android malware families (e.g., Ermac, Godfather) to automate interactions and steal data.