Android Banker with Complete Device Takeover Capabilities
Essential information
- Published
- 16/06/2026 16:27
- Modified
- 16/06/2026 17:19
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- accessibility abuse android trojan banking credentials cryptocurrency theft keylogger overlay attacks rokarolla sms hijacking
- Tags
- 2026-06-16 accessibility abuse android trojan banking credentials cryptocurrency theft keylogger overlay attacks rokarolla sms hijacking
- Related entities
- 48 indicators, 48 observables, 1 malware, 5 others
Description
A newly identified Android banking trojan named Rokarolla has been discovered, distributed through malicious websites masquerading as popular applications like TikTok or Google Chrome. The malware targets 217 distinct cryptocurrency and banking applications using 137 sophisticated commands for device control. Capabilities include harvesting lock screen credentials, exfiltrating contact lists and SMS data, deploying keyloggers, blocking calls, creating fraudulent screen overlays, and disabling Google Play Protect. The infection begins with a dropper impersonating Google Play Protect that installs a secondary payload. Rokarolla communicates with C2 infrastructure via HTTPS, uses overlays to steal banking credentials and device unlock patterns, silently monitors WhatsApp contacts, hijacks SMS and calls, manipulates clipboard content for cryptocurrency theft, and employs snapshot-based screen surveillance. It maintains persistence by hiding its icon, muting device audio, and keeping screens active indefinitely.