New Rokarolla Android Malware Steals PINs, SMS Codes, and Crypto Wallet Funds
The Hacker NewsArchived Jun 16, 2026✓ Full text saved
Security researchers at Zimperium's zLabs have documented a new Android banking trojan, Rokarolla, that targets 217 banking and cryptocurrency apps and packs 137 remote commands. Together, they give an operator near-total control of an infected phone: it lifts lock-screen PINs, reads and sends SMS, rewrites the clipboard to redirect crypto payments, and switches off Google Play
Full text archived locally
✦ AI Summary· Claude Sonnet
New Rokarolla Android Malware Steals PINs, SMS Codes, and Crypto Wallet Funds
Swati KhandelwalJun 16, 2026Mobile Security / Malware
Security researchers at Zimperium's zLabs have documented a new Android banking trojan, Rokarolla, that targets 217 banking and cryptocurrency apps and packs 137 remote commands.
Together, they give an operator near-total control of an infected phone: it lifts lock-screen PINs, reads and sends SMS, rewrites the clipboard to redirect crypto payments, and switches off Google Play Protect.
Rokarolla, named after its command-and-control servers, spreads through malicious websites posing as well-known apps such as TikTok and Chrome.
The first thing a victim installs is a dropper that pretends to be Google Play Protect. It uses that disguise to get the payload installed and grab Accessibility access. Once the malware is running, one of its commands turns Play Protect off.
The theft runs through overlays. Rokarolla pulls a target list from its server, and for each app flagged active, it downloads a fake HTML login page and stores it in a local database. When the victim opens the real banking or wallet app, the malware drops the fake page on top and captures everything typed into it, card details included.
The report shows one such fake page mimicking the banking app 'imagin.' A separate overlay mimics the Android lock screen to capture the PIN, pattern, or password, which lets the operator control the phone even while it is locked.
It reads every SMS on the device and can send messages itself, which is enough to grab the SMS one-time codes banks use to approve logins and transactions. By making itself the phone's default app for texts and calls, it can also block incoming calls, so a warning call from the bank never gets through.
A keylogger and screen logger record what the user types and sees, and the trojan scrapes contacts and reads notifications. The clipboard gets rewritten silently, swapping in attacker wallet addresses so a copied crypto payment lands in the wrong account.
For surveillance, Rokarolla skips the usual MediaProjection screen casting, which throws a visible recording prompt, and instead takes screenshots through Accessibility, compresses them to PNG, and ships them out one frame at a time. That snapshot approach is simpler and quieter than the live hidden VNC seen in families like Klopatra.
The malware carries multiple fallback C2 domains and can be handed new ones on the fly, so pulling a single server does little. It's 137 commands outnumber the 107 Zimperium counted in the HOOK trojan, and the playbook is the same one running through a wave of 2026 Android bankers: fake-app droppers, Accessibility abuse, and HTML overlays.
There is no patch to apply here. This is malware, not a product flaw, so the defenses are the standard ones for Android bankers. Install apps only from Google Play, leave Play Protect on, and treat any unexpected Accessibility request as a red flag, since that one permission drives the whole attack chain.
Zimperium says its own products detect the family, and the indicators of compromise are in its GitHub repository.
Zimperium did not tie Rokarolla to a named group. What the build shows is intent: a banker put together to beat the exact protections users are told to rely on, from Play Protect down to the lock screen.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
Android, banking Trojan, cryptocurrency, Google Play Protect, keylogger, Malware, Zimperium
⚡ Top Stories This Week
Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows
Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities
ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories
New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files
Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs
China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories
Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models
Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit
U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals
Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards
Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code
Load More ▼
⭐ Featured Resources
Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale
Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check
[Watch Demo] See Which Security Gaps Attackers Could Exploit First
AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown