CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 16, 2026

New Rokarolla Android Malware Steals PINs, SMS Codes, and Crypto Wallet Funds

The Hacker News Archived Jun 16, 2026 ✓ Full text saved

Security researchers at Zimperium's zLabs have documented a new Android banking trojan, Rokarolla, that targets 217 banking and cryptocurrency apps and packs 137 remote commands. Together, they give an operator near-total control of an infected phone: it lifts lock-screen PINs, reads and sends SMS, rewrites the clipboard to redirect crypto payments, and switches off Google Play

Full text archived locally
✦ AI Summary · Claude Sonnet


    New Rokarolla Android Malware Steals PINs, SMS Codes, and Crypto Wallet Funds Swati KhandelwalJun 16, 2026Mobile Security / Malware Security researchers at Zimperium's zLabs have documented a new Android banking trojan, Rokarolla, that targets 217 banking and cryptocurrency apps and packs 137 remote commands. Together, they give an operator near-total control of an infected phone: it lifts lock-screen PINs, reads and sends SMS, rewrites the clipboard to redirect crypto payments, and switches off Google Play Protect. Rokarolla, named after its command-and-control servers, spreads through malicious websites posing as well-known apps such as TikTok and Chrome. The first thing a victim installs is a dropper that pretends to be Google Play Protect. It uses that disguise to get the payload installed and grab Accessibility access. Once the malware is running, one of its commands turns Play Protect off. The theft runs through overlays. Rokarolla pulls a target list from its server, and for each app flagged active, it downloads a fake HTML login page and stores it in a local database. When the victim opens the real banking or wallet app, the malware drops the fake page on top and captures everything typed into it, card details included. The report shows one such fake page mimicking the banking app 'imagin.' A separate overlay mimics the Android lock screen to capture the PIN, pattern, or password, which lets the operator control the phone even while it is locked. It reads every SMS on the device and can send messages itself, which is enough to grab the SMS one-time codes banks use to approve logins and transactions. By making itself the phone's default app for texts and calls, it can also block incoming calls, so a warning call from the bank never gets through. A keylogger and screen logger record what the user types and sees, and the trojan scrapes contacts and reads notifications. The clipboard gets rewritten silently, swapping in attacker wallet addresses so a copied crypto payment lands in the wrong account. For surveillance, Rokarolla skips the usual MediaProjection screen casting, which throws a visible recording prompt, and instead takes screenshots through Accessibility, compresses them to PNG, and ships them out one frame at a time. That snapshot approach is simpler and quieter than the live hidden VNC seen in families like Klopatra. The malware carries multiple fallback C2 domains and can be handed new ones on the fly, so pulling a single server does little. It's 137 commands outnumber the 107 Zimperium counted in the HOOK trojan, and the playbook is the same one running through a wave of 2026 Android bankers: fake-app droppers, Accessibility abuse, and HTML overlays. There is no patch to apply here. This is malware, not a product flaw, so the defenses are the standard ones for Android bankers. Install apps only from Google Play, leave Play Protect on, and treat any unexpected Accessibility request as a red flag, since that one permission drives the whole attack chain. Zimperium says its own products detect the family, and the indicators of compromise are in its GitHub repository. Zimperium did not tie Rokarolla to a named group. What the build shows is intent: a banker put together to beat the exact protections users are told to rely on, from Play Protect down to the lock screen. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Android, banking Trojan, cryptocurrency, Google Play Protect, keylogger, Malware, Zimperium ⚡ Top Stories This Week Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code Load More ▼ ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown
    💬 Team Notes
    Article Info
    Source
    The Hacker News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 16, 2026
    Archived
    Jun 16, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗