Researchers have analyzed a new Android banking Trojan called Rokarolla. It can effectively take over a device, steal banking and crypto login details from more than 200 apps, and quietly monitor much of what you do on your phone.
On an infected device, Rokarolla steals banking and crypto login details. It also uses fake lock-screen overlays to capture your PIN, pattern, or password.
When you open one of the banking or crypto apps on Rokarolla’s target list, the malware downloads and displays a matching fake login page over the real app. Anything you type into the fake page, including usernames, passwords, and card numbers, is sent to the attackers.
Separately, Rokarolla abuses Android’s Accessibility features to monitor activity across the device. It can recognize WhatsApp screens by looking for familiar labels such as “Chats” and “Calls,” extract contact information, read SMS messages, and send new ones. These capabilities can help it intercept one-time passwords (OTPs) and two-factor authentication (2FA) codes.
Rokarolla can take control of text messages and phone calls, helping it block security alerts and hide signs of fraud.
It can also record everything you type and see on the screen. If you copy and paste a cryptocurrency wallet address, the malware can secretly replace it with one belonging to the attackers.
Other features help the malware stay hidden, including the ability to hide its icon, silence the device, turn off Google Play Protect, and prevent the screen from going to sleep.
How it spreads
Rokarolla is distributed through rogue websites, where it is offered as fake versions of popular apps like TikTok or Chrome.
Instead of sending you to the official Google Play Store, these malicious sites push you to download the app directly, a process known as sideloading. After you install it, the fake app poses as Google Play Protect and quietly downloads and installs the malware that carries out the attack.
To gain the access it needs, the fake app asks for powerful permissions, including Accessibility access, the permission to read SMS messages, and access to notifications. Because these requests can look legitimate, many users may approve them without realizing the risks.
How to stay safe
To avoid banking Trojans like Rokarolla, there are a few guidelines you should follow:
- Don’t trust apps that claim to be Google Play Protect or another system component. You should never need to install these manually.
- Use up-to-date, real-time anti-malware protection with web protection on your devices.
- Don’t sideload apps that are available on the Google Play Store. While malware can sometimes slip into official stores, the risk is much greater elsewhere.
- Deny powerful permissions to apps downloaded from links or websites, especially if they ask for Accessibility access, SMS permissions, or the ability to handle calls, even though that doesn’t match their stated purpose.
- In fact, any request for Accessibility access should be treated with caution. If an app that is not clearly an accessibility tool asks for it, deny the request and reconsider whether you trust the source.
- Scrutinize banking and crypto login screens. If something looks off, or you see multiple login prompts, close the app and relaunch it from its official icon.
Scammers know more about you than you think.
Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in.