Cybersecurity & Privacy

Rokarolla Android Trojan Steals Banking and Crypto Credentials With 137 Commands

By Mag-Info Tech editorial · 2026-06-17

A new Android trojan with unusually broad control

Security researchers have identified a sophisticated Android banking trojan named Rokarolla that gives attackers remote control over infected devices through 137 distinct commands. This breadth of control is rare for mobile malware and allows Rokarolla to perform a wide range of actions, from data theft to device manipulation. The trojan specifically targets financial applications, including 217 banking and cryptocurrency apps, making it a significant threat to users who manage money on their phones.

Rokarolla spreads through malicious websites that mimic legitimate app stores or popular applications like Google Chrome or TikTok. Once downloaded, the malware disguises itself as Google Play Protect, Android’s built‑in security service, to appear legitimate during installation. This social‑engineering tactic lowers user suspicion and increases the chances of successful compromise. After installation, the trojan immediately requests sensitive permissions, including Accessibility services, notifications, SMS, and call access, which are essential for its operation.

The malware’s command set is unusually large for mobile threats, indicating a well‑funded and organized development effort. While most Android banking trojans use a smaller set of functions focused on overlay attacks and credential theft, Rokarolla’s 137 commands suggest it can perform surveillance, system control, and financial fraud at scale. This level of sophistication points to a threat actor with significant resources and technical expertise.

How Rokarolla compromises devices step by step

The infection begins when a user visits a malicious website and downloads what appears to be an update for Google Chrome or TikTok. The downloaded APK file is presented as a legitimate app update, but it actually contains the Rokarolla trojan. During installation, the malware mimics Google Play Protect by showing a prompt that claims to scan the device for threats. This fake scan creates a false sense of security and encourages users to proceed with the installation.

Once installed, Rokarolla requests Accessibility permissions, which allow it to interact with other apps, simulate touches, and read screen content. It also asks for notification access, SMS permissions, and call logs, all of which are used to intercept sensitive data and control device behavior. These permissions are typically denied by default, but the malware uses deceptive overlays and persistent prompts to pressure users into granting them. In some cases, the trojan disables Google Play Protect and hides its app icon to avoid detection and removal.

After gaining control, Rokarolla begins communicating with a command‑and‑control (C2) server. It sends a device profile containing details such as phone model, Android version, language settings, screen size, battery level, storage capacity, and available RAM. This information is used to generate a unique identifier for each victim, enabling targeted attacks and personalized payloads. The C2 server then determines which financial apps are installed on the device and delivers the appropriate phishing overlay when the user opens a targeted application.

Targeting 217 banking and crypto apps with precision

Rokarolla maintains an internal list of 217 banking and cryptocurrency applications that it actively monitors. When a user launches one of these apps, the trojan displays a fake login overlay that closely mimics the real app’s interface. This overlay captures usernames, passwords, and credit card details as they are entered. Because the overlay is triggered only when the targeted app is opened, the attack is highly targeted and difficult to detect.

In addition to credential theft, Rokarolla uses overlays to capture lock‑screen PINs or patterns, enabling attackers to unlock the device and access sensitive data. The trojan can also block user interaction by displaying fake installation screens or error messages, preventing victims from realizing they are under attack. Some overlays are designed to remain visible even when the device is locked, ensuring continuous data capture.

The list of targeted apps includes major banks, digital payment platforms, and cryptocurrency exchanges from multiple regions. This geographic diversity suggests the threat actor is either multinational or selling access to other cybercriminal groups. The focus on both traditional banking and crypto apps reflects the growing use of mobile devices for financial transactions and the increasing value of cryptocurrency holdings as targets.

Surveillance and device control beyond financial theft

While financial data theft is the primary goal, Rokarolla’s capabilities extend to full device surveillance. The trojan collects contact lists, SMS messages, and call logs, which can be used for identity theft, social engineering, or further compromise. It also includes a keylogger that records all user input, including messages, search queries, and app interactions. This data can reveal passwords, recovery phrases, and other sensitive information not tied to the targeted financial apps.

The malware can disable Google Play Protect, a core Android security feature, to prevent detection and removal. It can also hide its app icon from the launcher, making it harder for users to locate and uninstall the malicious software. Rokarolla can silence audio and vibration alerts to avoid drawing attention, and it can keep the screen awake indefinitely to maintain control over the device. These behaviors indicate a deliberate effort to evade user awareness and prolong infection.

The use of Accessibility services allows Rokarolla to perform actions without user interaction, such as opening apps, navigating menus, and simulating touches. This capability enables automated attacks, such as transferring funds or approving transactions without the victim’s knowledge. The combination of surveillance, control, and financial targeting makes Rokarolla one of the most capable Android trojans observed in recent years.

Trading isn't a casino. Stop gambling.

Real results from MEFAI's AI. Get $50 off the Pro plan.

Claim $50 off Pro →

Sponsored · Past performance is not indicative of future results. Not financial advice.

Evasion tactics that make Rokarolla hard to detect and remove

Rokarolla employs several advanced evasion techniques to avoid detection by both users and security software. By disabling Google Play Protect, the trojan neutralizes one of Android’s primary defenses against malicious apps. It also hides its presence by removing its app icon from the launcher, making it invisible to casual inspection. Users who do not check the list of installed apps or use a third‑party app manager may never realize the malware is present.

The trojan silences device notifications and vibrations, preventing alerts from security apps or system updates from reaching the user. It keeps the screen awake to maintain control and avoid sleep‑mode interruptions, which could trigger background scans or user inactivity timeouts. These behaviors are designed to create a persistent and stealthy presence on the device.

Rokarolla also uses dynamic command‑and‑control communication, where the C2 server can update the trojan’s behavior or payloads in real time. This allows the attackers to adapt to new security measures, add new targets, or change attack methods without requiring a new malware build. The ability to remotely reconfigure the trojan increases its longevity and effectiveness against evolving defenses.

What users and organizations should do immediately

Users who suspect their device may be infected should avoid entering any credentials or financial information until the device is cleaned. The first step is to boot the device into safe mode, which prevents most third‑party apps from running and may allow the malware to be uninstalled. Users should then check the list of installed apps for anything unfamiliar or recently added, especially apps that mimic system utilities or security tools.

Installing a reputable mobile security app and running a full scan can help detect and remove Rokarolla. Users should also revoke any suspicious permissions granted to unknown apps and reset passwords for all financial accounts. Enabling two‑factor authentication on banking and crypto apps adds an extra layer of protection, even if credentials are stolen. For organizations, reviewing mobile device management policies and enforcing app installation from trusted sources can reduce exposure.

Security teams should monitor network traffic for unusual connections from mobile devices, particularly to domains or IPs associated with known C2 infrastructure. Logging and alerting on Accessibility service activations and overlay attacks can help detect similar threats. Sharing indicators of compromise (IOCs) with industry groups and mobile security vendors can aid collective defense against this and future campaigns.

Why Rokarolla’s command set matters for future threats

The disclosure of Rokarolla’s 137 commands provides a rare glimpse into the full operational toolkit of a modern Android trojan. Unlike most malware, which is analyzed only through its observed behavior, Rokarolla’s command list reveals the full range of capabilities available to the attackers. This includes commands for data exfiltration, device control, surveillance, and evasion, all of which can be updated or reused in future campaigns.

The modular design suggested by the large command set indicates that Rokarolla may be part of a malware‑as‑a‑service (MaaS) offering. This would allow less technical cybercriminals to rent access to the trojan and customize it for their own targets. The presence of such a platform could lead to a proliferation of similar threats, as affiliates adapt Rokarolla’s techniques to new regions or sectors.

Security researchers and vendors will likely use the command list to improve detection rules and behavioral analysis models. The detailed breakdown can help identify patterns in command usage, C2 communication, and payload delivery that are unique to Rokarolla. As mobile banking and crypto adoption grows, understanding the full capabilities of threats like Rokarolla will be essential for building resilient defenses.

What to watch next: evolving mobile threats and defenses

The emergence of Rokarolla highlights a broader trend of increasingly sophisticated mobile malware that blends financial theft with full device control. As smartphones become the primary device for financial transactions, they will continue to attract cybercriminals seeking high‑value targets. Future trojans may incorporate artificial intelligence to dynamically generate phishing overlays or adapt to user behavior in real time.

Defenders will need to focus on behavioral detection, rather than relying solely on signature‑based scanning. Mobile security apps should monitor for unusual permission requests, overlay attacks, and background activity that deviates from normal usage. Operating system vendors may also need to strengthen protections around Accessibility services and app installation prompts to reduce the risk of trojan infiltration.

For users, the key takeaway is to treat every app installation with caution, even when prompted by seemingly legitimate sources. Avoid downloading apps from third‑party websites or unofficial stores, and always verify the publisher before granting sensitive permissions. Regularly reviewing installed apps, checking for updates, and using security software are the best defenses against trojans like Rokarolla. As this threat evolves, staying informed and adopting a security‑first mindset will be critical.